
Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations 


1. Thesis and Dissertation Collection, all items 


2008-03 

An integrative risk management/governance 
framework for homeland security decision making 

Ponenti, Albert M. 

Monterey, California. Naval Postgraduate School 


http://hdl.handle.net/10945/4189 
Downloaded from NPS Archive: Calhoun 



DUDLEY 

KNOX 

LIBRARY 


Calhoun is a project of the Dudley Knox Library at NPS, furthering the precepts and 
goals of open government and government transparency. AU information contained 
herein has been approved for release by the NPS Public Affairs Officer. 

Dudley Knox Library / Naval Postgraduate School 
411 Dyer Road / 1 University Circle 
Monterey, California USA 93943 


htt p ://w w w. n ps.e-du/l ib ra ry 



NAVAL 

POSTGRADUATE 

SCHOOL 

MONTEREY, CALIFORNIA 


THESIS 


AN INTEGRATIVE RISK MANAGEMENT/GOVERNANCE 
FRAMEWORK FOR HOMELAND SECURITY 
DECISION MAKING 

by 

Albert M. Ponenti 
March 2008 

Thesis Advisor: John Rollins 

Second Reader: Lauren Wollman 


Approved for public release; distribution is unlimited 




THIS PAGE INTENTIONALLY LEFT BLANK 



REPORT DOCUMENTATION PAGE 


Form Approved OMB No. 0704-0188 

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, 
searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send 
comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to 
Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 
22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 

I. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED 

March 2008 Master’s Thesis 

4. TITLE AND SUBTITLE An Integrative Risk Management/Governance 5. FUNDING NUMBERS 

Framework for Homeland Security Decision Making 

6. AUTHOR(S) Albert M. Ponenti _ 

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION 

Naval Postgraduate School REPORT NUMBER 

Monterey, CA 93943-5000 

9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING 
N/A AGENCY REPORT NUMBER 

II. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy 
or position of the Department of Defense or the U.S. Government. 

12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE 

Approved for public release; distribution is unlimited _ 

13. ABSTRACT (maximum 200 words) 

National leaders, federal legislation, and the Department of Homeland Security all endorse the adoption of a risk 
management framework as an application for homeland security decision makers. Risk Management Frameworks 
developed by the Department of Homeland Security (DHS), the Government Accountability Office (GAO), and the 
International Risk Governance Council (IRGC) contain the elements for building a robust risk management 
framework for homeland security decision-making. Yet no single framework is perfect or perfectly applicable to 
homeland security, mainly because of the uncertainty and complexity of terrorism. This leaves the decision-maker 
with a series of challenges, the most pressing of which is to manage risk in the ever evolving arena of homeland 
security. 

This paper analyzes the principles of decision making and links them with the risk management processes 
illustrated in each of the frameworks. The final product is an integrative risk management/governance framework and 
an evaluation of its utility in a sample context: the nation’s passenger rail system. This study narrows the focus even 
further by conducting a threat analysis on the passenger rail system for the New York and New Jersey region, and 
applying the integrative risk management/governance framework against a hypothetical terrorist threat on that system. 

14. SUBJECT TERMS 15. NUMBER OF 

Risk Management Framework, Risk Assessment, Decision Making, Risk Management/Governance, PAGES 

Homeland Security Problem Space, Uncertainty, Complexity, Passenger Rail Risk _143_ 

16. PRICE CODE 

17. SECURITY 18. SECURITY 19. SECURITY 20. LIMITATION OF 

CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF ABSTRACT 

REPORT PAGE ABSTRACT 

Unclassified Unclassified Unclassified UU 

NSN 7540-01 -280-5500 Standard Form 298 (Rev. 2-89) 

Prescribed by ANSI Std. 239-18 


1 




























THIS PAGE INTENTIONALLY LEFT BLANK 


11 



Approved for public release; distribution is unlimited 


AN INTEGRATIVE RISK MANAGEMENT/GOVERNANCE FRAMEWORK 
FOR HOMELAND SECURITY DECISION MAKING 


Albert M. Ponenti 

Sergeant First Class, New Jersey State Police 
M.A., Seton Hall University, 1998 

Submitted in partial fulfillment of the 
requirements for the degree of 


MASTER OF ARTS IN SECURITY STUDIES 
(HOMELAND SECURITY AND DEFENSE) 


from the 

NAVAL POSTGRADUATE SCHOOL 

March 2008 


Author: Albert M. Ponenti 


Approved by: John Rollins, Ph.D. 

Thesis Advisor 


Lauren Wollman, Ph.D. 
Second Reader 


Harold Trinkunas, Ph.D. 

Chairman, Department of National Security Affairs 



THIS PAGE INTENTIONALLY LEFT BLANK 


IV 



ABSTRACT 


National leaders, federal legislation, and the Department of Homeland Security all 
endorse the adoption of a risk management framework as an application for homeland 
security decision makers. Risk Management Frameworks developed by the Department 
of Homeland Security (DHS), the Government Accountability Office (GAO), and the 
International Risk Governance Council (IRGC) contain the elements for building a robust 
risk management framework for homeland security decision making. Yet no single 
framework is perfect or perfectly applicable to homeland security, mainly because of the 
uncertainty and complexity of terrorism. This leaves the decision maker with a series of 
challenges, the most pressing of which is to manage risk in the ever-evolving arena of 
homeland security. 

This paper analyzes the principles of decision making and li nk s them with the risk 
management processes illustrated in each of the frameworks. The final product is an 
integrative risk management/govemance framework and an evaluation of its utility in a 
sample context: the nation’s passenger rail system. This study narrows the focus even 
further by conducting a threat analysis on the passenger rail system for the New York and 
New Jersey region, and applying the integrative risk management/governance framework 
against a hypothetical terrorist threat on that system. 
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I. INTRODUCTION 


A. PROBLEM STATEMENT 

Managing homeland security risk, which can stem from both terrorism and natural 
disaster, is an enonnously complex undertaking and is also a critical task, considering the 
need to deploy finite resources effectively. During his testimony before the Homeland 
Security Subcommittee of the Senate Appropriations Committee, Secretary Michael 
Chertoff addressed the importance of adopting a risk-management strategy toward 
homeland security preparedness: 

What should drive our intelligence, policies, operations, and preparedness 
plans and the way we are organized is the strategic matrix of threat, 
vulnerability and consequence. And so, we’ll be looking at everything 
through that prism and adjusting structure, operations and policies to 
execute this strategy. 1 

As described by Secretary Chertoff, “threat, vulnerability, and consequence” are 
the guiding variables for managing risk. Yet, this is but one element of the risk- 
management process laid out by Secretary Chertoff. It is worth peeling back layers of the 
onion a bit further to explore the complexity of risk management framework applications 
that can assist the homeland security decision-making process. 

Secretary Chertoff has called for the full adoption of a risk management 
framework. It is essential for the Department of Homeland Security (DHS) to assess risk 
by determining which elements of risk should be addressed and in what ways, within 
available resources. A risk management framework can assist decision makers in 
developing courses of action (COA) relative to the homeland security problem space. 
Fully integrating a risk management approach into decision-making processes is 
challenging for any organization, and is particularly challenging for DHS, with its diverse 


1 DHS Secretary Michael Chertoff in an April 20, 2005, Speech before the Homeland Security 
Subcommittee of the Senate Appropriations Committee, outlined a strategy for “risk management.” 
http://www.dhs.gov/xnews/testimony/testimony_0035.shtm (Accessed on November 1, 2006). 
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set of responsibilities. The basic goal, however, across DHS homeland security programs, 
is similar: to identify, prevent where possible, and protect the nation from all risks to 
people, property, and the economy. 2 At the national level, this is a complex and critical 
undertaking. At the state and local level, it is even more complex, because governing 
bodies also have to deal with the additional priorities that stem from and are characteristic 
of regional constructs, social complexity, politics, economic factors, and infrastructure. 

A comprehensive risk management framework can assist state and local leaders 
with homeland security decision making. Frameworks developed by the DHS 
(Contained in the National Infrastructure Plan — NIPP), the Government Accountability 
Office (GAO), and the International Risk Governance Council (IRGC) contain the 
essential components and relative elements for building a robust risk management 
framework. 

Each one of these risk management frameworks can assist the decision maker 
with resource allocation and situational, course-of-action decisions. No single framework 
is perfect or perfectly applicable to homeland security, however, mainly because of the 
uncertainty and complexity of terrorism. This leaves the decision maker with a series of 
challenges, the most pressing of which is to manage risk in the ever-evolving arena of 
homeland security. 

B. HYPOTHESIS 

The various frameworks utilized for this study illustrate a process for managing 
risk. If the core components and elements from each are extracted and integrated into a 
single, cohesive risk management/governance structure, will it effectively improve the 
decision-making process? 

An important aspect of this study involves linking the elements of decision 
making with the risk-management processes illustrated in each of the frameworks. This 
will be accomplished by analyzing each of the components and their core elements, and 


2 United States Government Accountability Office, Homeland Security, Applying Risk Management 
Principles to Guide Federal Investments, GAO-07-386T (Washington, DC: February 7, 2007). 
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assessing their utility for the decision maker. Based on this analysis, we will be able to 
ascertain if the frameworks provide a logical set of actions that can produce a 
methodology for decision makers to follow. 

The final objective will be to construct an integrative risk 

management/governance framework from the appropriate components of each of the 
frameworks, and evaluate its utility against an issue in the field of homeland security - 
that of the vulnerability of the nation’s passenger rail system. This study will narrow the 
focus even further by conducting a threat analysis on the passenger rail system for the 
New York and New Jersey region, and applying the integrative risk 

management/governance framework against a hypothetical terrorist threat on that system. 

The consumers of this research will be state homeland security decision makers 
who are in need of a risk management framework that can guide and assist with resource 
allocation and course-of-action decisions. This risk management/governance framework 
will provide an effective model. 

C. LITERATURE REVIEW 

The management of risk is important to industry, the economy, health and health 
care, and many other elements of society. Risk management and how it pertains to 
homeland security is a critical topic and a priority for the nation’s homeland security 
mission. 

What is truly the most efficient way to manage risk? According to Chertoff, 
addressing homeland security requires a risk-management strategy based on “the strategic 
matrix of threat, vulnerability, and consequence.” Chertoff has stated that DHS must 
concentrate first on threats that could ultimately have catastrophic consequences. This 
provides a basic framework from which to start, but requires a more in-depth look at risk 
management, the homeland security mission of state and local public safety responders, 
and how decisions regarding threats and/or terrorist attacks are made. 

3 DHS Secretary Michael Chertoff, U.S. Department of Homeland Security Second Stage Review, 
speech was conducted at the Ronald Regan Building, Washington, DC, July 13, 2005. 
http://www.dhs.gov/xnews/speeches/speech_0255.shtm (Accessed February 5, 2007). 
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A multitude of literature is available regarding what constitutes risk. Some 
authors distinguish between risk assessment and risk management, others do not. Some 
incorporate risk assessment within the broader risk management label. Yacov V. Haimes, 
in Risk Modeling, Assessment, and Management, makes the distinction between the two 
tenns, while also recognizing significant overlaps. 4 Haimes explains that five steps 
constitute the entire risk-assessment and management process: 

1. Risk identification 

2. Risk modeling, quantification, and measurement 

3. Risk evaluation 

4. Risk acceptance and avoidance 

5. Risk management 

Haimes supports the use of models for decision makers, saying that models, 
methodologies, and procedures for risk assessment provide an essential service to 
decision makers — that of processing of data into intelligence — so the elements of risk 
that are associated with policy decisions can be properly valued, evaluated, and 
considered in the decision-making process. 5 

The National Preparedness Goal adopts a risk-based all-hazards approach that 
involves reorienting preparedness activities to enable officials to make informed choices 
that best manage risk and reduce impact. Risk is the product of threat, vulnerability, 
consequence, and likelihood of occurrence. 6 The National Preparedness Goal supports 
Secretary Chertoff s belief in a risk-based approach to homeland security. It also provides 
a capabilities-based strategy for managing risk, and references three capabilities-based 
planning tools: (1) The National Planning Scenarios; (2) The Universal Task List (UTL); 
and (3) The Target Capabilities List (TCL). With this approach, risk-based target levels 
can be customized for each capability and geographic area across the nation. 7 The 

4 Yacov V. Haimes, Risk Modeling, Assessment, and Management, 2nd ed. (John Willey & Sons, 
2004), 56. 

5 Ibid., 59. 

6 Department of Homeland Security, National Preparedness Goal, 2005, 3. 

7 Ibid., 7. 
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National Preparedness Goal provides capabilities that can assist in reducing risk, yet it 
does not provide a model for where these capabilities fit into the risk equation for threat, 
vulnerability, and consequence. 

A GAO report titled A Risk Management Approach Can Guide Preparedness 
Efforts, identifies a risk management model that is inclusive of an assessment process. 
According to the report, risk management is a systematic and analytical process that 
allows the decision maker to determine whether, and to what degree, a threat or attack 
will endanger an asset (e.g., a structure, individual, or function). Risk management also 
facilitates the identification of actions that can reduce the risk and mitigate the 
consequences. The report states that an effective risk management approach includes a 
threat assessment, a vulnerability assessment, and a criticality assessment. A threat 
assessment identifies and evaluates threats based on various factors, including capability 
and intention, as well as the potential impact. Vulnerability assessments and criticality 
assessments complete the equation, and allow the decision maker to better prepare 
against threats. 8 The report does not delineate which processes are involved with 
conducting the various assessments, but it does conclude that a risk management strategy 
will drive the preparedness effort as it pertains to homeland security. 

Robert G. Ross, chief of the Risk Sciences Branch of DHS, takes a step back and 
provides a more philosophical and big-picture discussion of risk and its consideration in 
homeland security decision making. In Risk and Decision-Making in Homeland Security, 
Ross examines the decision-making process and the complex, adaptive systems that are 
endemic to the nation’s terrorist adversaries. 9 Ross argues that the risk assessment 
framework currently used by DHS is inadequate and far from being understood. His 
paper identifies various models that are associated with risk management, and outlines 
the characteristics of a future DHS Risk Assessment “Tool Kit.” 


8 General Accountability Office, Homeland Security’: A Risk Management Approach Can Guide 
Preparedness Efforts, GAO-02-208T (October 31, 2001), 3. 

9 Robert G. Ross, “Risk and Decision Making in Homeland Security,” Office of Comparative Studies, 
Department of Homeland Security Science and Technology Directorate (July 31, 2006). 
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A Congressional Research Service (CRS) Report for Congress, The Department 
of Homeland Security’s Risk Assessment Methodology: Evolution, Issues, and Options for 
Congress, explains that terrorism risk analysis and assessment do not exist in a vacuum. 
Risk is analyzed and assessed as a means to mitigate or “buy down” risk over time by 
developing certain capabilities across the country. The State Homeland Security Grant 
Program is the primary tool used by DHS to do this. DHS has been very clear in utilizing 
a risk model for disseminating grant funds. These funds have helped state and local 
partners take the kind of action that not only reduce the risk of a terrorist attack, but also 
enable state and local agencies to respond effectively. 10 

The CRS Report presents several risk-assessment and related grant program 
options for congressional consideration. The report is broken down into three core areas: 
the Evolution of the DHS Risk Assessment Methodology; the Risk Assessment Stages of 
Development and Current Process; and Possible Approaches for Congress. The report 
includes risk management as a component of risk analysis, which it broadly defines as 
risk assessment, risk characterization, risk communication, risk management, and policy 
relating to risk in the context of risks that concern individuals, public and private sector 
organizations, and society at the local, regional, national, or global level. According to 
the CRS Report, risk analysis seeks to inform, not to dictate, the complex and difficult 
choices among possible measures to mitigate risk. 11 

D. REVIEW OF RISK MANAGEMENT FRAMEWORKS 

One of the most comprehensive risk management frameworks is the International 
Risk Governance Council (IRGC) framework, which delineates the process into three 
primary Risk Governance Phases: Pre-Assessment, Risk Appraisal, and Risk 
Management. These categories are further delineated and associated with a certain 
product or process. An example of this would be the Pre-Assessment Phase. A core 

10 Todd Masse, Siobhan O’Neil, John Rollins, “The Department of Homeland Security’s Risk 
Assessment Methodology: Evolution, Issues, and Options for Congress,” Congressional Research Service 
Report for Congress (CRS Order Code RL33858), February 2, 2007, 2. 
https://www.hsdl.org/homesec/docs/crs/nps .pdf [Accessed February 2007]. 

11 Ibid., 16. 
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element of this phase is Early Warning and Monitoring. Early Warning and Monitoring 
are processes used to detect and/or neutralize a threat. The IRGC framework suggests that 
appropriate measures taken in the Early Warning and Monitoring stages can assist in 
reducing the threat. Threat in this sense, would be the likelihood that a particular asset, 
system, or network will suffer an attack or incident. 12 Associated Early Warning and 
Monitoring functions such as, Fusion Centers and Intelligence Dissemination tools can 
assist in reducing the threat. 

Risk Characterization and Risk Evaluation are situated between Risk Appraisal 
and Risk Management, and can be assigned either to those charged with the assessment 
or those responsible for management, whichever is better equipped to perform the 
associated tasks. The IRGC framework also has Risk Communication as a companion to 
all phases of addressing and handling risk. However, the clear sequence of phases and 
steps offered by this process is primarily a logical and functional one, and will not always 
correspond to reality due to uncertainty and complex problems associated with risk. 13 
Although the IRGC framework offers a very complex, integrative approach to fusing risk 
assessment and risk management under the umbrella of governance, it is a model that has 
yet to be utilized within the security studies domain. 

In a GAO report released in 2007, risk management is recognized as a strategy for 
helping policy-makers make decisions about assessing risk, allocating resources, and 
taking actions under conditions of uncertainty. 14 To provide a basis for examining efforts 
for carrying out risk management, GAO developed a framework based on best practices 
and other criteria. The framework is divided into five phases: (1) Setting strategic goals 
and objectives, and determining constraint; (2) Assessing the risks; (3) Evaluating 
alternatives for addressing those risks; (4) Selecting appropriate alternatives; and (5) 
Implementing the alternatives and monitoring the progress made and the results 


12 Department of Homeland Security, National Infrastructure Protection Plan, 2006, 35. 

13 Ortwin Renn, International Risk Governance Council, “White Paper on Risk Governance: Towards 
an Integrative Framework,” September 2005. 

14 General Accountability Office, Homeland Security: Applying Risk Management Principles to Guide 
Federal Investments, GAO-07-386T (February 7, 2007), 3. 
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achieved. 15 The GAO report explains that the framework has been used to examine 
various programs, and that it will likely evolve as processes mature and lessons are 
learned. The disadvantage of the GAO framework is that its components are simplistic 
and offer very little guidance by way of inserting core elements that define how the 
framework can assist with the decision making process. 

The cornerstone of the National Infrastructure Protection Plan (NIPP) is its risk 
management framework. The NIPP defines risk as the combination of the frequency of 
occurrence, vulnerability, and the consequence of a specific hazardous event. In the 
context of the NIPP, risk is the expected magnitude of loss (e.g., deaths, injuries, 
economic damage, loss of public confidence, or government capability) due to a terrorist 
attack, natural disaster, or other incident, along with the likelihood of such an event 
occurring and causing that loss. 16 The NIPP risk management framework establishes the 
process for combining consequence, vulnerability, and threat infonnation to produce a 
comprehensive, systematic, and rational assessment of national or sector specific risk. It 
includes the following activities that can assist with the decision-making process: (1) Set 
security goals; (2) Identify assets, systems, networks, and functions; (3) Assess risk; (4) 
Prioritize; (5) Implement protective programs; (6) Measure effectiveness. The NIPP 
framework inserts core elements for each component of the structure, enabling the 
decision maker to make better informed decisions. 

The literature and the briefly defined risk management models examined thus far 
have focused primarily on the elements of risk, and how they pertain to a particular 
framework or methodology. An essential component, however, is to integrate the risk 
management frameworks with decision-making processes. The Military Decision-Making 
Process (MDMP) is a planning model that establishes procedures for analyzing a mission, 
developing, analyzing and comparing courses of action against criteria of success and 
against one another, selecting the optimum course of action, and producing a plan or 


15 General Accountability Office, Homeland Security, 9. 


16 Department of Homeland Security, National Infrastructure Protection Plan, 2006, 29. 
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order. The MDMP applies across the spectrum of conflict and the range of military 
operations. 17 It is a model that can be utilized to drive the risk management framework at 
various levels. 

Due to the ambiguity and uncertainty of risk and the possibility of an immediate 
threat surfacing, the decision-making process may need to be intuitive rather than the 
step-by-step process as defined by the MDMP. A Recognition-Primed Decision (RPD) 
model fuses two processes: the way decision makers size up the situation to determine 
whether a course of action makes sense; and mentally simulating, or imagining, the 
course of action to identify the possible consequences. 18 A comprehensive risk 
management framework can benefit from the RPD model, and assist in addressing 
elements of risk. 

E. RESEARCH METHODOLOGIES 

The GAO, NIPP, and IRGC frameworks illustrate the risk management process. 
Within each of the frameworks are the core components that drive the process. The 
methodology for this analysis will be to provide an overview of the frameworks’ 
components, and ascertain how those components factor into the decision-making 
process. For each component, the decision-making processes discussed in the literature 
will provide the construct for the analysis. In addition, the elements that support each 
component will be linked to the various decision-making processes, with examples 
provided to show its relevance. 

Based on this analysis, we will ascertain whether the frameworks provide a 
logical set of actions that a decision maker can follow. The commonalities extracted 
from each framework that prove to be effective will be identified and integrated into a 
risk management/govemance framework. The final objective will be to generate an 


17 U.S. Department of the Army, “Army Planning and Orders Production,” Field Manual 5-0: 
Washington, DC, January 20, 2005, 3-1. 

18 Gary Klein, Sources of Power: How People Make Decisions, Cambridge, Massachusetts: MIT 
Press, 1998, 24. 
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integrative risk management/governance framework built from the extracted components 
of each of the frameworks, and an evaluation of its utility against an issue within the 
homeland security arena. 

For the purposes of this research, we will look at the qualitative principles 
associated with risk management, and stand clear of any quantitative analysis that would 
influence the use of statistical data, or risk allocation grant methodology. We will also 
look at the qualitative attributes of risk analysis and risk assessment principles, and how 
they support the risk management process. The problem space associated with risk and 
homeland security decision making is vast and dense. In order to appropriately assess the 
integrative risk management/governance framework, we will focus on the threat of 
terrorism, rather than natural and technological hazards. 

Finally, through the principles associated with risk analysis and risk assessment, a 
qualitative threat analysis will be conducted for the passenger rail transportation system 
in the New York/New Jersey region. As was witnessed in the 2004 Madrid train 
bombings and the 2005 London bombings, the passenger rail transportation sector is a 
vulnerable target for terrorist organizations. We will create a threat-based scenario that 
targets the rail system in the New York/New Jersey region, and apply the integrative risk 
management/governance framework to it. 
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II. BACKGROUND 


A. OVERVIEW OF TERRORISM RISK AND RISK CONCEPTS 

1. Introduction 

Part A of this chapter is intended to establish an acceptable and usable definition 
of terrorism risk, and to review some of the concepts and tenninology that are utilized in 
risk management. For the purposes of this research, we will look at the qualitative 
principles associated with risk management, but will not undertake any quantitative 
analysis that would influence the utility of statistical data or risk allocation grant 
methodology. We will also look at the qualitative attributes of risk analysis and risk 
assessment principles, and how they support the risk management process. Finally, we 
will outline the methodology and foundation of risk analysis and risk assessment. 

2. An Acceptable Understanding of Terrorism Risk 

Robert G. Ross, in his paper “Risk and Decision Making in Homeland Security,” 
includes seventeen definitions of risk — a list he acknowledges is by no means 
exhaustive. Each definition, however, was developed to illustrate a particular aspect of 
risk and its utility within the context for which it was developed. The reason risk can 
have so many different meanings, with each being right, Ross points out, is that risk, no 
matter how well-grounded in reality, is a mental and emotional construct rather than a 
physical reality. 19 

The Oxford English Dictionary defines risk is a “hazard, chance of, or bad 
consequences, loss.” 20 Two elements emerge from this definition: the nature of the 
consequences of actions, and the likelihood of negative consequences. 


I" Robert Ross, “Risk and Decision Making in Homeland Security,” 3. 

Zur Shapira, Risk Taking: A Managerial Perspective (New York: Russell Sage Foundation, 1994), 
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The word “risk” is derived from the early Italian risicare, which means “to dare.” 
Peter L. Bernstein explains that risk is a choice rather than a fate. The actions we dare to 
take, which depend on how free we are to make choices, are what the story of risk is all 
about. 21 

The Nuclear Regulatory Commission (NRC) Glossary provides a less complex 
definition for risk, yet it captures its core meaning: Risk is the combination of (1) What 
can go wrong? (2) How likely is it? (3) What are the consequences? “ Rather than 
analyze multiple definitions and the construct in which risk is utilized, this paper will 
focus on how risk and risk management apply to the domain of homeland security. 

According to Yacov Y. Haimes, “To manage risk, one must measure it with 
appropriate metrics.” Haimes points out that this principle is applicable when addressing 
risks of terrorism; the first step is to identify all conceivable sources of risk. Haimes 
breaks it down into four major categories: 23 


1. Risk to human lives and to individual property, liberty, and freedom; 

2. Risk to organizational-societal infrastructures and the continuity of 
government; operations, including the military and intelligence-gathering 
infrastructure; 

3. Risk to critical cyber or physical infrastructures; 

4. Risk to economic sectors. 


Haimes writes that this is the first step in a decision-making process that will 
enable effective strategic and tactical planning. Although these categories are necessary, 
they are quite general, and would have a cascading impact on one another if a significant 
act of terrorism were to occur. However, the utility of these categories can be found if 
one narrows them down in terms of: (1) Who is targeting the U.S.? (2) What is going to 


-' Peter L. Bernstein, Against the Gods: The Remarkable Story’ of Risk (New York: John Wiley & 
Sons, 1996), 8. 

22 U.S. Nuclear Regulatory Commission: Full text Glossary, http://www.nrc.gov/reading-rm/basic- 
ref/glossary/full-text.html [Accessed January 28, 2008]. 

23 Yacov V. Haimes, Risk Modeling, Assessment and Management, 685. 
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be targeted? (3) What will the consequences be? An example would be a homegrown, 
radicalized terrorist group executing an attack on a passenger rail transportation system, 
resulting in multiple casualties. 

Department of Homeland Security (DHS) Secretary Michael Chertoff advocates a 
risk-based approach to homeland security. According to Chertoff, “DHS must base its 
work on priorities driven by risk and, increasingly, risk assessment and subsequent risk 
mitigation have influenced all of the department’s efforts intended to enhance our 
nation’s ability to prevent, respond to, and recover from future terrorist attacks and 
natural disasters.” Under Chertoff s direction, DHS manages risk in terms of threat, 
vulnerability, and consequence. DHS prioritizes policies and operational missions 
according to a risk-based approach, and has established a series of preventive and 

25 

protective steps to increase security at multiple levels. 

Risk as an underlying principle has also been influential in the way DHS allocates 
grant funds. Using its risk assessment formula, DHS considers the threat (T) to a 
target/area, multiplied by vulnerability (V) of the target/area, multiplied by consequence 

(C) of an attack on the target area. As a result, the risk assessment formula is 

26 

Henry Willis et ah, of the RAND Corporation, view terrorism risk as having three 
components: the threat to a target, the target’s vulnerability, and the consequences of a 
successful attack. People and organizations represent threats when they have the intent 
and/or the capability to damage a target. The threat to a target can be measured as the 
probability that the target would be attacked in a specific way during a specified period. 
Vulnerability is measured as the probability that damage would occur given a specific 


-4 Masse et al., “The Department of Homeland Security’s Risk.” 

25u.S. Department of Homeland Security, “Homeland Security Secretary Michael Chertoff Announces 
Six-Point Agenda for Department of Homeland Security,” Press Release, July 13, 2005, Office of the Press 
Secretary, http://www.dhs.gov/xnews/releases/press release 0703.shtm . [Accessed on January 30, 2008]. 

26 Masse et ah, “The Department of Homeland Security’s Risk.” 
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threat. Consequences are the magnitude and the type of damage that would result from a 
successful terrorist attack. Risk is the function of all three components: threat, 

97 

vulnerability, and consequences. 

By combining the categorical definitions of terrorism risk described by Haimes 
and the risk components of threat, vulnerability, and consequences as described by 
Secretary Chertoff and Willis et ah, we can develop a model that places threat, 
vulnerability, and consequence, plus intent and capability (an element of threat) at the 
center; risk is placed on the periphery (see Figure 1). This illustrates a broader 
definition of terrorism risk, and acknowledges that threat, vulnerability, and 
consequences are core components of risk analysis and management. For the purposes of 
this research, we will refer to this model as an acceptable definition of terrorism risk. 


- 7 Henry Willis et al., Estimating Terrorism Risk (Santa Monica, CA: RAND Center for Risk 
Management Policy, 2005), xvi. 

-8 Figure 1 is meant to illustrate the link between risk and the elements of threat, vulnerability, and 
consequence. Throughout this research, and in the contents of multiple homeland security documents and 
testimonies, these elements seem to be at the core of homeland security risk. 
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Risk to organizational- 
societal infrastructures, 
and the continuity of 
government operations, 
including the military and 
intelligence gathering 
infrastructure 


Risk to human lives and 
to individual property, 
liberty, and freedom 



Figure 1. Broader Definition of Risk 

3. Risk Concepts 

One of the most significant challenges in addressing the concept of risk in any 
context is the absence of a commonly accepted lexicon and a set of professional 
practices, particularly as they relate to the relatively new field of homeland security 
risk. Although this study focuses on the utility of risk management as it pertains to 
decision making, other terms related to risk are widely used. To ensure consistency and 
foster an understanding of where risk management fits into the “risk terminology” 
domain, it will be necessary to clarify risk concepts and definitions, and the utility they 
have for this paper. 

According to Ross, there are several schools of thought on proper definitions and 
hierarchical relationship between the terms “risk assessment,” “risk analysis,” and “risk 
management.” How each is defined and used often depends on who is leading the 


29 John P. Paczkowski, “Risk Management as Strategic Change in National Homeland Security 
Policy,” Naval Postgraduate School Thesis, September 2007, 14. 
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discussion. 30 For example, the Society for Risk Analysis (SRA) uses the tenn “risk 
analysis” as its cornerstone phrase, whereas DHS uses “risk assessment” in most of its 
risk-formula terminology. The U.S. Coast Guard’s Glossary of Risk Terms also provides 
definitions: 31 

Risk Analysis: Used interchangeably with risk assessment. 

Risk Assessment: The overall process of identifying and analyzing risks. 

The process of characterizing hazards within risk areas by analyzing them 
for their potential mishap, consequences and probabilities of occurrence, 
and combining the two estimates to reach a risk rating. 

Risk Management: The process by which assessed risks are mitigated, 
minimized, or controlled through engineering, management, or 
operational means. This involves the optimal allocation of available 
resources in support of group goals. 


A Congressional Research Service Report cites the SRA and its interpretation of 
risk analysis: Risk analysis is broadly defined to include risk assessment, risk 
characterization, risk communication, risk management, and policy relating to risk, in the 
context of risk concern to individuals, to public and private sector organizations, and to 
society at a local, regional, national, or global level. Risk analysis seeks to inform, not to 

T9 

dictate, the complex and difficult choices among possible measures to mitigate risk. 

The International Risk Governance Council (IRGC) refers to risk analysis as a 

TT 

collective term that covers risk assessment, risk management, and risk communication. 
Based on these two definitions, risk analysis seems to be the overarching term that 
captures both the assessment and management process. There are, of course, agencies 
and organizations that differ. For example, DHS differentiates between risk analysis and 
risk management, a philosophy that has been most evident in its resource allocation 

30 Robert Ross, “Risk and Decision Making in Homeland Security.” 

31 United States Coast Guard’s Glossary of Risk Terms, http://www.uscg.mil/hq/gm/risk/glossary.html 
[Accessed on March 18, 2008]. 

3 - Masse et al., “The Department of Homeland Security’s Risk,” 7, 16. 

33 Renn, “White Paper on Risk Governance: Towards an Integrative Framework,” 63. 
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methodologies. This clearly illustrates the complexity of defining risk concepts and terms 
as they pertain to analysis, assessment, and management. 

Haimes offers an illustration of how these three concepts — that of analysis, 
assessment and management — build on each other. Haimes claims that risk analysis is a 
prelude to assessment, and that the analyst must answer three questions: 1) What can go 
wrong? 2) What is the likelihood that it will go wrong? 3) What are the consequences if it 
does go wrong? The answers to these questions help to identify, quantify, and evaluate 
risk and the potential impact. Risk assessment, a prelude to risk management according 
to Haimes, builds on the analysis by seeking answers to a second set of questions: 1) 
What can be done and what options are available? 2) What is the trade-off in terms of 
cost, benefit, and risk? 3) What will the impact of the current decision be on future 
options? 34,35 

The Government Accountability Office (GAO) has defined risk assessment as the 
process of qualitatively or quantitatively detennining the probability of an adverse event 
and the severity of its impact on an asset. According to the GAO, risk assessment is a 
coalescence of threat, vulnerability, and consequence. A risk assessment may include 
scenarios in which two or more threats interact to create a greater or lesser effect. A risk 
assessment provides the basis for the rank ordering of risks, and for establishing priorities 
for countermeasures. Viewing both Haimes and the GAO’s definitions, it seems that 
risk analysis is the building block and prelude to the overall risk assessment. Whether the 
analysis is done qualitatively or quantitatively, the end result supports the risk 
assessment. 

According to DHS, in the absence of pure tactical intelligence, the assessment of 
risk benefits from a rich and voluminous set of data, which can be mined for patterns of 
historical behavior, and can translate into the projection of likely threat scenarios 


W Paczkowski, Risk Management, 15. 

35 Yacov Y. Haimes, “Roadmap for Modeling Risks of Terrorism to the Homeland,” 35-41. 

3® Government Accountability Office, Risk Management - Further Refinements Needed to Assess 
Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure (Washington, DC: 
Government Accountability Office, December 2005), 111. 
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involving categories of assets and/or geographic areas. 37 For the purpose of this paper, 
and taking into account Haimes, GAO and DHS concepts of analysis and assessment, a 
risk analysis was conducted for the passenger rail transportation system in New York and 
New Jersey. A scenario was drawn from the analysis, with the intention of using the 
scenario to evaluate the utility of the risk management/governance framework as a 
decision-making support structure. 

B. RISK MANAGEMENT AND THE DECISION-MAKING PROCESS 

1. Introduction 

Recent legislation, national strategies, and public statements of government 
officials all call for the use of risk management as the cornerstone of the nation’s effort to 
protect its critical infrastructure, and to inform decision making in homeland security. 
Even in the most recent release of the National Strategy for Homeland Security, there is a 
clear emphasis on applying a comprehensive approach to risk management. This 
approach requires that we understand how to effectively manage risk and to identify the 
elements of risk management that will assist with decision-making process. Each of the 
risk management frameworks analyzed for this study outline a method that engages the 
decision-making process, and enables the decision maker to make well-informed choices 
relative to risk. 

2. The “Wickedness” of Decision Making in the Homeland Security 
Environment 

Risk is clearly a factor that must be taken into account when making homeland 
security decisions, but it is only one of several factors that must be considered. In 


33 Masse et al., “The Department of Homeland Security’s Risk,” 16. 

38 Edward J. Jopek and Kerry L. Thomas, Security Risk Management: Implementing a National 
Framework for Success in the Post 9/11 World. Appeared in a Monograph from the George Mason 
University School of Law’s entitled, “Critical Infrastructure Protection: Elements of Risk” (December 
2007), 1. 

39 George W. Bush, National Strategy> for Homeland Security, Washington, DC: The White House, 
October 2007, 1. 
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Lieutenant Colonel Dennis T. Gyllemsporre’s article, “Decision Navigation: Coping with 
21 "‘-Century Challenges in Tactical Decision Making,” he refers to John Von Neumann’s 
classic analytical decision-making process as a starting point for decision-making theory. 
According to Von Neumann, the decision maker ideally behaves in a strictly rational way 
to achieve the best results. This method has five steps: 

1. Identify the problem. 

2. Generate alternative solutions. 

3. Evaluate and choose between alternatives. 

4. Implement the chosen solution. 

5. Maintain the solution by monitoring, reviewing, and appraising the 
situation. 

Gyllemsporre believes the model is robust, especially if feedback loops are added 
to support connectivity between each of the steps. However, the model also assumes the 
decision maker possesses perfect knowledge, perfect rationality, all of the information 
required to make decisions, and the ability to make those decisions without using any 
human values, prejudices, or emotions. 40 

Ross illustrates the homeland security decision-making environment by blending 
the factors of complexity and a high degree of uncertainty that are endemic to homeland 
security with the idea of “wicked problems.” 41 The person who coined the term “wicked 
problem” was Horst Rittel. As Rittel defined it, wicked problems are distinguished by the 
following characteristics: 42 

• You do not understand the problem until you have developed a solution. 

• Wicked problems have “no-stopping” rule. 

• Solutions to wicked problems are not right or wrong. 

• Every wicked problem is essentially unique and novel. 

• Every solution to a wicked problem is essentially unique and novel. 

• Every solution to a wicked problem is a “one-shot operation.” 

40 Lieutenant Colonel Dennis T. Gyllensporre, “Decision Navigation: Coping with 21 st -Century 
Challenges in Tactical Decision Making, ” Military Review (September/October 2003), 26. 

41 Robert Ross, Risk and Decision-Making in Homeland Security, 11. 

42 Jeff Conklin, “Wicked Problems and Social Complexity” (2006), 7, 
http://cognexus.org/wpf/wickedproblems.pdf [Accessed February 27, 2008]. 
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• Wicked problems have no given alternative solutions. 

• Every wicked problem can be a symptom of another problem. 

• Any solution to a wicked problem will generate more problems. 

According to Jeff Conklin, the author of, “Wicked Problems and Social 
Complexity, ” there may be no solutions to wicked problems, or there may be a set of 
potential solutions that are devised, and another set of solutions that are never even 
considered. 43 He further asserts that it takes creativity to devise potential solutions, and 
that it is a matter of judgment to determine which solutions are valid, and should be 
pursued and implemented. 44 Conklin’s belief in the utility of creativity when devising 
potential solutions, and using sound judgment to determine validity is essentially at the 
core of homeland security decision making. It also supports the authors of the 9/11 
Commission Report, who pointed to a lack of imagination as being one of the primary 
failures of pre-9/11 homeland security. 45 

Conklin also believes that decision makers must have a sense of what contributes 
to the “wickedness” of a problem. The following are examples of wicked problems and 
how they could be applied to passenger rail transportation: 

• Screen every passenger or conduct random screening? 

• Screen every passenger and cause extensive delays in commuter operations? 

• Identifying a threat when there is a great deal of intelligence, but nothing 
specific. 

• Identifying a threat when there is no credible intelligence targeting 
passenger rail. 

• Identifying the appropriate response when there is tactical intelligence of a 
threat targeting passenger rail, and that intelligence is specific to cell 
operations? 


43 Masse et al., “The Department of Homeland Security’s Risk,” 4. 

44 Conklin, “Wicked Problems and Social Complexity,” 8. 

45 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the 
United States (New York: W.W. Norton & Co., 2004), 339. 
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Ross developed a model illustrating the difficulty of decision making in homeland 
security. Figure 2: Homeland Security Decision-Making Environment, blends the 
complexity and uncertainty of risk with the idea of wicked problems and social 
complexity. 46 His intention is to illustrate why the political aspects of homeland security 
problems can be so difficult to master. 47, 48 



Figure 2. Homeland Security Decision-Making Environment 49 


46 Robert Ross, Risk and Decision-Making in Homeland Security, 12. 

47 Ibid., 11. 

4 ^ The lower portion of the model offered by Ross, identifies Social Complexity as being very high 
when engaged with a wicked problem. This is based on theory regarding “wicked problems” offered by 
Horst Rittel and Melvin Webber. Rittel and Webber believe that, as distinguished from problems in the 
natural sciences, which are definable and separable and may have solutions that are findable, the problems 
of governmental planning - and especially those of social or policy planning - are ill defined; and they rely 
upon elusive political judgment for resolution. Social problems are never solved. At best they are only re¬ 
solved - over and over again. 

49 Robert Ross, “Risk and Decision Making in Homeland Security,” 13. 
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3. Analytical and Intuitive Decision Making in the Homeland Security 
Environment 

Modern approaches to the study of decision making have shifted focus and 
adopted a more integrated approach. This is illustrated in the Military Decision-Making 
Process (MDMP), which recognizes two methodologies that drive the decision-making 
process: Analytical Decision Making and Intuitive Decision Making. 50 According to the 
U.S. Army’s Field Manual (FM 5-0), analytical decision making approaches a problem 
systematically. Leaders analyze a problem, generate several possible solutions, analyze 
and compare the solutions to a set of criteria, and then select the best solution. This 
approach is methodical and works well in complex or unfamiliar situations because it 
allows the breakdown of tasks into recognizable elements. It ensures that the commander 
and staff consider, analyze, and evaluate all relevant factors. It is an appropriate method 
to use when there is time to analyze all facets of the problem and its solution. Because it 
does take time, it may not be the appropriate method to use when circumstances require 
immediate decisions. 51 

The second methodology discussed in the FM 5-0 is Intuitive Decision making, 
which it describes as the act of reaching a conclusion by using pattern recognition that is 
grounded in knowledge, judgment, experience, education, intelligence, boldness, 
perception, and character. It is faster than analytic decision making because decisions are 
based on an assessment of the situation, rather than a comparison of multiple courses of 
action. It is used when time is short or when the speed of decision is important. It relies 
on the experienced leader’s ability to recognize the key elements and implications of a 
particular problem or situation, reject the impractical, and select an adequate (rather than 
the optimal) course of action. Intuitive decision making significantly speeds up the 
decision-making process. It does not, however, work well when a situation includes 


50 The MDMP was chosen for this research due to the similar decision making processes that are 
evident within the homeland security environment. That being strategic, operational, tactical, analytical, 
and intuitive decision making. Each one of these decision making processes is reflective within the 
MDMP, and are applied during the risk management framework analysis. 

51 U.S. Department of the Army, “Army Planning and Orders Production,” 1-21. 
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inexperienced leaders, complex or unfamiliar situations, or competing courses of action. 
Additionally, substituting assessment for detailed analysis means that some implications 
may be overlooked. Commanders use intuitive decision making when time is short and 

52 

the problems are straightforward. It is usually appropriate during execution. 

The MDMP model illustrated in Figure 3 represents the steps to achieving optimal 
decision making. However, according to Karol G. Ross et ah, little guidance exists on 

C'J 

how to abbreviate the process.' 


5- U.S. Department of the Army, “Army Planning and Orders Production,” 1-21. 

53 Karol G. Ross et al., “The Recognition-Primed Decision Model,” Military’ Review (July/August 
2004), Military Module, 6. 
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Figure 3. MDMP Decision Making Model 54 


54 U.S. Department of the Army, “Army Planning and Orders Production,” 21. 
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Gary Klein, the author of Sources of Power: How People Make Decisions, has 
conducted research for military organizations for more than two decades, focusing on 
how individuals and organizations make decisions. According to Klein, intuitive decision 
making uses experience to recognize the patterns in a given situation. 55 The leader can 
quickly develop a course of action by employing mental war-gaming and pattern 
recognition learned through training, education and experience. The decision maker 
typically searches for the first course of action that will work in a given situation. It is 
experience and intuition that enable the leader to predict how a solution will work. 56 
Klein refers to this process as the Recognition Primed Decision (RPD) Model. Figure 4 
illustrates Klein’s concept. 
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Figure 4. Basic Recognition Planning Model 57 


55 Gary Klein, Sources of Power: How People Make Decisions, Cambridge, Massachusetts: MIT 
Press, 1998, 24. 

56 David A. Bushey and Michael J. Forsyth, “The Recognition-Primed Decision Model: An 
Alternative to the MDMP for GWOT,” FA Journal (January/February 2006), Military Module, 11. 

57 Karol G. Ross et al., “The Recognition-Primed Decision Model,” Military’ Review (July/August 
2004), Military Module, 7. 
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How can the analytical and intuitive principles of the MDMP model, integrated 
with the further in-depth, intuitive principles of the RPD model, assist with the decision¬ 
making process in an environment that is rife with wicked problems? Also, how do 
strategic, operational, and tactical levels of decision making figure into the environment 
of homeland security? 

Strategic Decision Making: Strategic Decision Making requires that goals and 
objectives be developed for a strategic course of action. From a short-tenn perspective, 
strategic-level decisions rely on operational input, and provide the context for tactical 
operations. This level of strategic decision making is reflective during conflict or a 
progressing event. From a homeland security perspective that is focused on long-tenn 
strategies, these decisions are made with relatively low frequency since they tend to drive 
overarching capability creation. An example of creating an overarching capability would 
be to regulate and/or mandate private sector actions, such as requiring chemical facilities 
to increase security as a condition of remaining in business. Another example of strategic 
decision making comes from DHS, with its long-term funding commitments to specific 
geographic regions, as is the case with the Urban Area Security Initiatives (UASI). 

Operational Decision Making: Operational Decision Making supports the 
strategic decision maker by implementing courses of action that support long-term 
strategic goals and objectives. The operational decision maker is required to ensure that 
operations can be carried out within existing capabilities. Operational and tactical-level 
decision making complement each other by linking operational plans to the deployment 
of resources that support strategic goals. An example would be an agency that has 
intelligence, gained through credible sources, that there is an immediate threat targeting 
the passenger rail transit system of New York and New Jersey. At the operational 
decision-making level, this would necessitate taking immediate preventive and protective 
measures at various transit nodes. The operational decision maker carries out these 
measures by identifying assets and technical entities, at the tactical level, that can assist in 
identifying the threat before it penetrates the passenger rail transit system. 

Tactical Decision Making: Tactical Decision Making involves the employment 

of units, assets, and entities that can support the operational requirements of the mission. 
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In the example provided above, once the decision has been made to mobilize assets and 
technical entities, it is the tactical decision maker who initiates the action and the 
execution. This may require random bag searches conducted by law enforcement officers, 
and explosive detection K9s at every transportation node. The tactical decision maker 
carries out this deployment process, and maintains communication with operational 
decision makers. 

The MDMP and RPD models contain principles that can assist with strategic, 
operational, and tactical level decision making. The MDMP model assists the military 
field commander who is faced with strategic decisions which will drive operations and 
deploy the appropriate tactical elements. The analytical components of the MDMP model 
are a methodical process that serves well in complex and unfamiliar situations. These 
elements - complexity and unfamiliarity - are reflective of wicked problems. The 
MDMP’s analytical approach also serves well when time is available to analyze all 
aspects of a problem and its solution. It is particularly applicable in the intelligence 
community, where time is often available to cycle data through the intelligence analysis 
process. In the event that actionable intelligence emerges, the analytical approach allows 
the decision maker to thoroughly evaluate the situation before considering a course of 
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action (see Figures 5). 


58 Figure 5 is meant to illustrate the complexity in homeland security as it relates to intelligence driven 
decision making. Figure 5 A is meant to provide a snapshot of the agencies who makeup the intelligence 
community. Figure 5B represents sources in which intelligence and data is collected from (acronyms are 
spelled out in list of acronyms and abbreviations). Figure 5C offers an intelligence process that is currently 
utilized by the New Jersey State Police. 


27 



Figure 5 A. Represents IC 



/NCT c 

o 


Figure 5B. Intelligence 
Collection Disciplines 


Figure 5C. Intelligence Cycle 

Manning! 


SIGINT 

GEOINT 

MASINT 

OS1NT 

HUMINT 

LEINT 



Figure 5. IC Wicked Problem 


The RPD model is based on intuition. Klein refers to intuition as depending on the 
use of experience to recognize key patterns that indicate the dynamics of a situation. 59 
Recognizing key patterns through experience, and making decisions based on them 
certainly pertains to operational and tactical decision making. In the current domain of 
homeland security, however, the reliance is on national priorities, national frameworks, 
and scenario models that are intended to make up for a lack of experience, and are 
generally designed to assist with strategic level decision making. This is at the fault of no 
one. Homeland security is a fairly new concept. It is driven by many factors that create a 
great deal of flexibility in the decision-making process. The intuition can be gained 
through understanding the motives, intent, and capabilities of terrorists. Klein asserts that 


59 Gary Klein, Sources of Power f 31. 
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examining a situation can create an awareness of typical ways of responding. 60 Decision 
makers are also educated through exercises that allow for decisive and reactionary 
decision making. 

Referring back to the example of wicked problems associated with the 
intelligence community, as illustrated in Figure 5, the intuitive approach of an FBI agent 
represents the agent’s experience with a particular (HUMINT) source that led to the 
identification of individuals developing peroxide-based explosives. The reliability of the 
source, coupled with the agent’s experience, can engage the intuitive process. 

The principles of analytical and intuitive decision making can influence the 
response to an identified risk. Traditionally, there are four ways to respond: avoid it, 
mitigate it, transfer it, or accept it. 61 For example, a vessel destined for a U.S. port may 
contain biological contaminants. Does the decision maker avoid the risk by not accepting 
the vessel into a U.S. port, and transfer the risk by rerouting it to another destination? 
Does the decision maker accept the risk by allowing the vessel to dock in a U.S. port, and 
then attempt to identify the biological contaminants in order to identify its origin and 
developer? Analytical decision making will rely on the tactical intelligence provided to 
the decision maker, whereas the intuitive decision-making process is more reflective of 
how the decision maker executes the intercept of the vessel. 

Each of the risk management frameworks are inclusive of strategic, operational, 
tactical, analytical, and intuitive decision making. Each share dependencies with one 
another. How the decision-making process is applied relies on the situation. If it requires 
strategic decision making, a more analytical approach may be more useful, whereas 
operational and tactical decision making require a blend of the two. In the next segment, 
we examine risk management and how it can improve capabilities in the homeland 
security environment. 


60 Gary Klein, Sources of Power,” 92. 

61 Robert Ross, “Risk and Decision Making in Homeland Security,” 3. 
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4. 


Risk Management and Capability Enhancement 


According to Ross, risk management is a collective term for actions taken to 
either reduce the probability of an adverse event occurring, and/or to minimize the 
consequences. The steps included in risk management include identification of potential 
adverse events; assessment of the associated probability and consequences (i.e., risk); 
selection of appropriate risk-reducing actions; communicating the necessary risk 
information to those who need it; implementing risk mitigation actions; and monitoring 
the effectiveness of the actions taken. " Ross’s definition captures the core elements of 
the risk management process that, for the most part, are components of the risk 
management frameworks used in this study. 

David J. Kaufman, during a presentation at the Naval Postgraduate School, 
discussed how risk analysis and risk management accommodate one another: “Risk 
analysis is the process by which risks are identified and evaluated, whereas, risk 
management is the suite of actions taken to actually influence risk identified through the 
analytical process.” As Kaufman put it, risk is identified through analysis, which in turn 
drives the decision-making action in the risk management process. Identified risks can 
allow for effective decision making if the capabilities and resources are sufficient to drive 
the risk down. A national effort is underway to increase the U.S. capabilities via a 
strategy that places risk management at its core. 

As states move forward with the development of State Preparedness Plans, they 
are using the guidance of the Target Capabilities List (TCL), which is intended to support 
the National Preparedness Goal (see Table 1: Target Capabilities List). The TCL provides 
a guide for development of a national network of capabilities that will be available when 
and where they are needed to prevent, protect against, respond to, and recover from major 


62 Robert Ross, “Combating Terrorism with Risk-Based Strategies,” working paper for the Office of 
Comparative Studies Department of Homeland Security Science and Technology Directorate, 2007. 

63 David J. Kaufman, Presentation on “Planning for Homeland Security,” Director for Preparedness 
Policy, Planning & Analysis, Department of Homeland Security, Naval Postgraduate School, Monterey, 
CA (October 10-11,2007). 
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events. 64 In the category of “Common Capabilities” is “Risk Management,” the 
foundation on which the “Mission Categories” of Prevention, Protection, Response, and 
Recovery, are built. The TCL also offers an outcome element that emphasizes the utility 
of risk management as a planning construct that supports effective prioritization 
and oversight of homeland security programs. 65 

The TCL refers to the GAO for a common and usable definition of risk 
management: “A continuous process of managing—through a series of mitigating actions 
that penneate an entity’s activities—the likelihood of an adverse event and its negative 
impact.” Risk management is grounded in the capacity of all levels of government to 
identify and measure risk prior to an event, and, based on threats/hazards, vulnerabilities, 
and consequences, devise a plan that enables leadership to manage exposure to the threat 
by prioritizing and implementing risk-reduction strategies. The capability and actions 
required to perform risk management may vary between levels of govermnent, but the 
foundation of risk management is constant. 66 


64 Target Capabilities List: A companion to the National, http://www.emaponline.org/ [Accessed on 
February 20, 2008]. 

66 Target Capabilities List: A companion to the National Preparedness Goal, 96. 

66 Ibid., 95. 
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Table 1. Target Capabilities List 67 


Phase I Capabilities (Included in this version of the TCL) 


Common Capabilities 
Planning 
Communications 
Community Preparedness and 
Participation 
Risk Management 

Intelligence and Information Sharing and 
Dissemination 

Prevent Mission Capabilities 
Information Gathering and Recognition of 
Indicators and Warning 
Intelligence Analysis and Production 
Counter-Terror Investigation and Law 
Enforcement 
CBRNE Detection 

Protect Mission Capabilities 
Critical Infrastructure Protection 
Food and Agriculture Safety and Defense 
Epidemiological Surveillance and 
Investigation 
Laboratory Testing 

Respond Mission Capabilities 
On-Site Incident Management 
Emergency Operations Center 
Management 

Critical Resource Logistics and 
Distribution 


Volunteer Management and Donations 
Responder Safety and Health 
Emergency Public Safety and Security 
Animal Disease Emergency Support 
Environmental Health 
Explosive Device Response Operations 
Fire Incident Response Support 
WMD and Hazardous Materials 
Response and Decontamination 
Citizen Evacuation and Shelter-in-Place 
Isolation and Quarantine 
Search and Rescue (Land-Based) 
Emergency Public Information and 
Warning 

Emergency Triage and Pre-Hospital 
Treatment 
Medical Surge 

Medical Supplies Management and 
Distribution 
Mass Prophylaxis 

Mass Care (Sheltering, Feeding and 
Related Services) 

Fatality Management 

Recover Mission Capabilities 
Structural Damage Assessment 
Restoration of Lifelines 
Economic and Community Recovery 


Risk management and decision making are clearly at center stage when it comes 
to identifying risks, the capability requirements they generate, and the strategy for 
meeting those requirements. By enhancing capabilities through asset development, 
products, processes, and systems, it is possible to drive down risk for a given sector. An 

67 Target Capabilities List: A companion to the National Preparedness Goal, vii. 
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example would be improving U.S. protection and prevention capabilities through a robust 
information- and intelligence-sharing network. This network could be established through 
statewide fusion centers, or through an intelligence-based management system that 
allows law enforcement entities to share information. Developing an intelligence-sharing 
capability may help the decision maker throughout the risk management process, simply 
by knowing such a capability exists. 

Figure 6, which is a variation of a graphic created by David Kaufman of DHS, 
illustrates the Likelihood of Event and Impact of Event with notional threats plotted in 
the upper right quadrant. The arrows represent the Mission Capabilities that, if in fact are 
enhanced, can drive the (IED Attack on Passenger Rail Train) down toward Residual 
Managed Risk. Thus, this improves our ability to manage risk and make better-informed 
decisions that can reduce the likelihood and impact of an event. 



Figure 6. Driving Down Risk Through Capability Enhancement 68 


68 Kaufman, Presentation on “Planning for Homeland Security.” 
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III. RISK MANAGEMENT FRAMEWORK ANALYSIS 


A. OVERVIEW OF THE RISK MANAGEMENT FRAMEWORKS AND THE 
DECISION-MAKING PROCESS 

1. Introduction 

This chapter introduces the risk management frameworks utilized for this study, 
and to take a closer look at the components that formulate each of the frameworks. The 
GAO, NIPP, and IRGC frameworks provide a model that illustrates the risk-management 
process. Within each of the frameworks are the core components that define the process. 
The methodology for this analysis is to provide an overview of each phase illustrated in 
the risk-management framework, and to ascertain how each component factors into the 
decision-making process. For each component, the decision-making processes discussed 
in Chapter II provide the construct for the analysis. This analysis is meant to be seen 
through the lens of a homeland security decision maker as it pertains to terrorism. From 
the position of the decision maker, the framework is notionally applied as a preparedness 
strategy, a pending event, or a progressing situation. The proposed methodology is not 
intended for a specific threat targeting an identified sector or region. The methodologies, 
however, are explored later in this paper and applied to a threat to the passenger rail 
transportation sector for NY/NJ. In addition, elements that support each component are 
linked to the various decision-making processes. Examples are provided to show the 
relevance for that particular process. 

2. The Government Accountability Office (GAO) Risk Management 
Framework 

While there is widespread support for using risk management in homeland 
security programs and decision making, doing so is a complex task that has few 
precedents and, until recently, little specific guidance. To provide a basis for examining 
efforts to carry out risk management, the GAO developed a framework based on best 
practices and other criteria. The framework is divided into five phases: (1) Setting 
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strategic goals and objectives, and determining constraints; (2) Assessing the risks; (3) 
Evaluating the alternatives for addressing the risks; (4) Selecting appropriate alternatives; 
and (5) Implementing the alternatives and monitoring the progress made and the results 
achieved (see Figure 7). 69 The GAO has used this framework to examine many programs, 
such as air cargo security, general aviation security, and surface transportation security. 

According to Ross, the GAO cycle (Figure 7) has several virtues. The first is its 
simplicity. By omitting many of the details provided in other examples, the GAO graphic 
provides the clearest and most easily understood cycle. Its biggest advantage is that it 
explicitly illustrates that the risk-management process really starts with strategic goals, 
objectives, and constraints established in law and administrative policies. 70 It is also 
necessary to note that the GAO framework is essentially a decision-making process. For 
example, a Six Step Ethical Decision Making process offered by the Ethics Resource 
Center lists the following steps: 

■ Step 1: Define the Problem 

■ Step 2: Identify Alternatives 

■ Step 3: Evaluate the Alternatives 

■ Step 4: Make the Decision 

■ Step 5: Implement the Decision 

■ Step 6: Evaluate the Decision 71 

Steps 3, 4, 5, and 6 can most certainly equate to the GAO components of 
Alternatives Evaluation, Management Selection, and Implementation and Monitoring. 
Therefore, it is necessary to dig a bit deeper into what types of decision-making processes 
occur at what phases, identify core elements for each component, and evaluate how it 
correlates with the homeland security risk problem space. 


® 9 Government Accountability Office, Homeland Security - Applying Risk, 8-9. 

70 Robert Ross, “Risk and Decision Making in Homeland Security,” Attachment B. 

71 Ethics Resource Center, Plus: The Decision Making Process, www.ethics.org/resources/decision- 
making-nrocess [Accessed on March 3, 2008]. 
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Figure 7. GAO Risk Management Framework 72 


Strategic goals and objectives stimulate strategic 
decision making, and establish the foundation for 
the GAO risk management process. According to 
Henry Mintzberg, strategic decisions are those that 
determine the overall direction of an enterprise and its ultimate viability in light of the 
predictable, the unpredictable, and the unknowable changes that may occur in its most 

important surrounding environment. 73 The unpredictable and unknowable identified by 
Mintzberg is reflective of the problem space associated with homeland security due to 
uncertainty and complexity. However, direction that is reflective of the goals and objectives 
is still required from decision makers. Mintzberg adds that the goals and objectives state what 
is to be achieved and when results are to be accomplished, but they do not state how the 
results are to be achieved. The programs implemented to support the goals and objectives 
specify the step-by-step sequence of the actions that are necessary to achieve major 

objectives. They express how objectives will be achieved within the limits set by policy.74 
This component of the GAO framework is the foundation and support for the remaining 
components of the cycle. 

72 Government Accountability Office, Homeland Security - Applying Risk, 9. 

72 Henry Mintzberg and James B. Quinn, The Strategy Process: Concepts and Contexts (Englewood 
Cliffs, New Jersey: Prentice Hall, 1992), 5. 

74 Mintzberg and Quinn, The Strategy’ Process, 5. 
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Strategic Goals, Objectives 
& Constraints 





(GAO) Strategic Goals Objectives and Constraints 

Strategic DM 

This component is reflective of Strategic DM at its core, and can be applied to 
multiple homeland security issues and concerns that may cut across many sectors. 
Decision makers can benefit from identifying the strategic goals, objectives and 
constraints that would provide the most effective course of action and positive 
outcomes. It also provides a starting point in the framework that can identify assets, 
systems, networks, processes, and capabilities to support the goals and objectives.75 

Operational DM 

Premature in the process for Operational DM to be effective unless threat is 
imminent. 

Tactical DM 

Premature in the process for Tactical DM to be effective unless threat is imminent. 

Analytical DM 

Identify the analytical tools, processes, networks, and systems that can support the 
next component of the GAO framework, which is Risk Assessment. For example, 
intelligence and information sharing and dissemination through the utilization of a 
statewide fusion center would represent analytical tools, processes, networks, and 
systems. 

Intuitive DM 

Premature in the process for Intuitive DM to be effective. 

Capability Based 

DM 

The decision maker will rely a great deal on those capabilities that will support the 
strategic goals and objectives. If capabilities do not exist that can support the overall 
strategic goal, the decision maker may realize the constraints and redirect the strategy. 
For example, a threat targeting malls statewide with an Improvised Explosive Device 
(IED). The strategic goals and objectives must reflect whether the capability exists to 
detect and defend against such attacks. 


The GAO believes that the assessment of risk is a critical 
component of the risk management approach. In many 
GAO documents and testimonies related to homeland 
security risk and decision making, it is suggested that there 
are key elements fused to this component. The GAO 
identifies three key elements — threats, vulnerabilities, and criticality — that inform the 
decision-making process. According to the GAO, threat assessment identifies and 
evaluates potential threats on the basis of such factors as capabilities, intentions, and past 
activities. A vulnerability assessment identifies weaknesses that may be exploited by 
identified threats, and suggests options to address those weaknesses. A criticality 


Risk Assessment 

• Threats 

• Vulnerabilities 

• Criticality 


75 These terms are utilized to represent operational functions of assets, systems, networks, and 
processes. They are not intended to be definitive in terms of identifying critical infrastructure that is evident 
in the NIPP. Examples in this case would be, a Fusion Center representing an asset; an intelligence cycle 
representing a process and a system; and an intelligence/information dissemination function linking federal, 
state, and local agencies would represent a network. 


38 












assessment evaluates and prioritizes assets and functions in terms of specific criteria, 
such as its importance to public safety and the economy, as a basis for identifying which 
structures or processes are more important to protect from attack. Information from these 
three assessments can lead to a risk characterization, such as high, medium, or low, and 
provide input to the task of prioritizing security initiatives. 76 

This component of the framework includes the risk analysis that provides the 
analytical tools to support the overall risk assessment (although it is not illustrated in the 
framework). The GAO identifies threat, vulnerability, and criticality as key elements. It 
defines risk assessment as being qualitative and/or quantitative to assist in determining 
the likelihood of an adverse event occurring, its severity and impact, and the 
consequences. It may include scenarios under which two or more risks interact, creating 
greater or lesser impacts, as well as the ranking of risk events. 77 Risk assessment is 
inclusive of each of the decision-making processes shown in the table below. 


76 U.S. Government Accountability Office, Transportation Security - Systematic Planning Needed to 
Optimize Resources (Washington, DC: Government Accountability Office, February 15, 2005), 4. 

77 U.S. Government Accountability Office, Rail Security - Some Actions Taken to Enhance Passenger 
and Freight Rail Security, but Significant Challenges Remain (Washington, DC: Government 
Accountability Office, March 23, 2004), Appendix I. 
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(GAO) Risk Assessment 


Strategic DM 

The Risk Assessment Component builds on the goals and objectives, and provides the 
decision maker with a better understanding of situational awareness, the identity of 
root causes, and the determinants for a course of action. Through the lens of the 
Strategic DM, resource allocation for developing threat analysis, vulnerability 
analysis, and criticality analysis, as well as pre-planning, will rely heavily on a 
thorough risk-assessment process. 

Operational DM 

The Operational DM may rely on the products generated by the Risk Assessment that 
are specific to threats, vulnerability, and criticality and that are the essential elements 
of the component. These include, for example, threats targeting a critical sector, such 
as dams. Intelligence analysis and production will support the Operational DM by 
identifying which dams are most critical, and which operational elements are needed 
to prevent an attack. 

Tactical DM 

The Tactical DM relies on the Risk Assessment Component to identify adversarial 
capabilities. To support the example provided above, the Tactical DM may need to 
know how dams may be attacked to determine if tactical intervention and execution is 
required. 

Analytical DM 

The Risk Assessment Component directly reflects the Analytical DM process. The 
Analytical DM factors in assets, systems, networks, processes, and capabilities that 
are significant to the core elements, i.e., threat, vulnerability, and criticality. 
Analytical DM feeds off the risk assessment to make the best informed decision. 

Intuitive DM 

The Intuitive DM may identify with an element of the Risk Assessment Component 
that may necessitate immediate action. This could also cause the decision maker to 
skip the Alternative Evaluation and Management Selection components and transition 
into the Implementation and Monitoring Component (see Figure 7). 

Capability Based 
DM 

The Risk Assessment Component will drive Capability Based DM. Threat, 
vulnerabilities, and criticality are all linked to the mission areas and target capabilities 
discussed in Chapter II. Capability Based DM will rely on the risk assessment for the 
mission areas and target capabilities that will have the greatest impact in driving 
down risk. 


The GAO, in many of its documents, does not 
define the Alternatives Evaluation component of 
the framework. However, Alternatives Evaluation 
is an element of the decision-making process. It relies on the validity of the Risk 
Assessment Component. Yet once again, due to the uncertainty and complexity of the 
homeland security problem space, the Alternatives Evaluation Component must be 
flexible enough in the event the Risk Assessment Component produces unreliable 
products. Alternatives Evaluation does, however, affect the various levels of the decision¬ 
making processes outlined below. 


Alternatives Evaluation 
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(GAO) Alternatives Evaluation 

Strategic DM 

Alternatives Evaluation would support the Strategic DM during the Strategic Goals, 
Objectives and Constraints Component if the problem was identified. However, 
during risk assessment, a different set of problems can surface causing a redirection in 
strategy. The Alternatives Evaluation Component provides a mid-point for the 
Strategic DM to re-evaluate the course of action. 

Operational DM 

The Operational DM can look to the Alternatives Evaluation Component as an 
assessment stage prior to deployment. The Operational DM may opt to develop 
alternatives based on the risk assessment. 

Tactical DM 

The Tactical DM will rely on the Alternatives Evaluation Component as an 
assessment stage prior to execution, and will closely coordinate with the Operational 
DM in the event an alternative course of action has been determined. 

Analytical DM 

Alternatives Evaluation supports the Analytical DM by providing time to review the 
products generated by the Risk Assessment Component. The Analytical DM may 
identify deficiencies and gaps in the risk assessment, and re-assess a particular 
element. 

Intuitive DM 

The Alternatives Evaluation Component can assist the Intuitive DM if there is an 
alternative course of action that the decision maker has experienced in the past and 
that had a positive outcome. 

Capability Based 

DM 

The Alternatives Evaluation Component may lead to a redirection in strategy. 
Therefore, Capability Based DM may need to revaluate assets, systems, and networks 
in order to support a refocused strategy. 


To this point in the process, the three components 
of (1) Strategic Goals, Objectives and Constraints, 
(2) Risk Assessment, and (3) Alternatives 
Evaluation have been mutually dependent, engaging the decision-making process at 
various levels. It is the Management Selection Component that enables the decision 
maker to move forward with a course of action. As illustrated in the table below, this is 
the staging phase prior to implementation. 


Management Selection 
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(GAO) Management Selection 

Strategic DM 

The Strategic DM ensures that Operational, Tactical, Analytical and Capability Based 
decision makers understand the course of action, which should be based on the work 
done in the previous phases. 

Operational DM 

The Operational DM ensures that the Management Selection Component is adequate 
to deliver a positive outcome and the resources to mobilizes assets and engages 
networks, systems, and processes that will support the Implementation and 
Monitoring Component. 

Tactical DM 

The Tactical DM coordinates with the Operational DM to ensure interoperability and 
verifies management selection objectives. 

Analytical DM 

The Analytical DM preps the systems, networks, and processes that will be relied 
upon during the implementation and monitoring phase. For example, situational 
awareness for the Operational DM may rely on intelligence and information 
dissemination from a state fusion center. 

Intuitive DM 

The Intuitive DM reflects on prior experience and knowledge, and determines how 
the internal understanding of the problem can be met with a positive outcome based 
on the Management Selection. 

Capability Based 
DM 

Capabilities have already been determined, and are waiting to be implemented. 


This is the last component of the GAO risk 
management framework. The Implementation and 
Monitoring Component is critical to how a problem 
can be mitigated. Once again, in dealing with the 
uncertainty and complexity of the homeland security risk problem space, implementation 
needs to be closely monitored due to the dynamics that can perplex the decision-making 
process. The cyclical process inherent in the GAO framework allows the decision maker 
to transition back to the Strategic Goals, Objectives and Constraints Component if the 
components of implementation and monitoring deviate away from the original course of 
action set forth by the goals and objectives. In addition, what is apparent is that 
components in this decision-making process are dependent on one another, which means 
the decision maker relies on the continuous elements of the risk assessment to support 
operations. 


Implementation and 
Monitoring 


42 













(GAO) Implementation and Monitoring 

Strategic DM 

The Strategic DM is reliant on the monitoring component. This is based on the fact 
that if the implemented strategy fails, the Strategic DM can transition back into 
developing strategic goals and objectives and develop another course of action. 
Monitoring is an essential element of the Risk Assessment Component, which can be 
processed through the various systems, processes, and networks. 

Operational DM 

The Operational DM is directly engaged in the Implementation and Monitoring 
Component. Operational DM relies on a continual risk assessment to improve 
situational awareness. The Operational DM is a consumer of intelligence and 
information, which can be generated from analytical tools and produce products to 
support decision making. 

Tactical DM 

The Tactical DM is directly engaged in the Implementation and Monitoring 
Component due to execution and action. Tactical DM relies on a continual risk 
assessment of the immediate operating environment. The Tactical DM maintains 
communication with the Operational DM to ensure the course of action is consistent 
with the strategic goals, and objectives. 

Analytical DM 

The Analytical DM supports the Operational DM and Tactical DM by generating 
products through intelligence and information gathering processes and systems. 
Therefore, a continuous risk assessment focused on the recognition of indicators and 
warnings is paramount. 

Intuitive DM 

It is in this component of the framework that Intuitive DM can be adopted and acted 
upon. The Operational, Tactical, Analytical, and Capability Based decision makers 
are all engaged at the Implementation and Monitoring Component. The Intuitive DM 
emphasizes pattern recognition based on knowledge, judgment, experience, 
education, intelligence, boldness, perception, and character. The dynamics of an 
unfolding event may trigger pattern recognition and necessitate an immediate change 
in the course of action. 

Capability Based 
DM 

Capability Based DM is closely monitored by all those who are engaged in utilizing 
the assets, systems, and networks to support the course of action. 


The GAO has suggested in many of its reports that by building a robust risk 
management framework, homeland security decision making can be improved 
dramatically. It further suggests that “risk management is the best approach to guide 
programs and responses to better prepare against terrorism and other threats.” 78 The GAO 
framework is simplistic, and merely offers a starting point for the decision-making 
process. It reflects a cyclical decision-making process, with each component offering 
guidance to the decision maker. 

Clearly reflective in the decision-making process tables was the inclusion and 
reliance on the Risk Assessment Component and its core elements of threat, vulnerability, 

78 U.S. Government Accountability Office, Homeland Security - A Risk Management Approach can 
Guide Preparedness Efforts (Washington, DC: Government Accountability Office, October 31, 2001), 11. 
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and criticality. The decision-making process was dependent on the Risk Assessment 
Component to guide decisions through the entire framework. The GAO has emphasized 
the importance of risk assessment as the centerpiece of its risk management process. 
GAO suggests that, after threat, vulnerability, and criticality assessments are completed 
and evaluated in a risk-based decision process, key actions can be taken to better prepare 
against potential attacks or events. The GAO also says that threat assessments alone are 
insufficient to support key decisions; leaders and managers can make better decisions if 
they use a risk management approach in conjunction with vulnerability and criticality 
assessments. 79 

Although the decision-making process tables are meant to reflect how decision 
making is executed using the components of the GAO framework — with the exception 
of the Risk Assessment Component — there has been little support by the GAO 
indicating how the other components of the risk management framework interact with the 
decision maker. 

3. The National Infrastructure Protection Plan (NIPP) Risk 
Management Framework 

The NIPP has been described as a base plan or national blueprint for how DHS, 
sector-specific agencies, and other relevant stakeholders should coordinate critical 
infrastructure and key resource-protection initiatives. 80 As has been previously stated, 
adoption of a risk-management framework is essential for DHS to assess risk, determine 
which elements should be addressed within available resources, and set homeland 
security priorities. 81 Central to the entire concept of the NIPP, and at the heart of sector 
planning and implementation efforts, is the NIPP’s risk-management framework. That 


79 Homeland Security - A Risk Management Approach can Guide Preparedness Efforts, 12. 

80 John P. Paczkowski, “Risk Management as Strategic Change in National Homeland Security 
Policy,” Naval Postgraduate School Thesis, September 2007, 50. 

81 Government Accountability Office, Homeland Security - Applying Risk, 3. 
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framework establishes basic principles and criteria for assessing the vulnerability of 
critical infrastructure and key resources, and formulating and managing the 
implementation of security strategies. 82 

The cornerstone of the NIPP is its risk management framework. NIPP defines risk 
as the combination of the frequency of occurrence, vulnerability, and the consequence of 
a specified hazardous event. In the context of the NIPP, risk is the expected magnitude of 
loss (e.g., deaths, injuries, economic damage, loss of public confidence, or government 
capability) due to a terrorist attack, natural disaster, or other incident, along with the 
likelihood of such an event occurring and causing that loss. 83 The NIPP risk-management 
framework establishes the process for combining consequence, vulnerability, and threat 
information to produce a comprehensive, systematic, and rational assessment of national 
or sector-specific (meaning transportation, energy, water) risk that drives infrastructure 
protection activities. The framework applies to the general threat environment, as well as 
to specific threats or incidents. The NIPP risk management framework illustrated in 
Figure 8 includes the following activities: (1) Set security goals; (2) Identify assets, 
systems, networks, and functions; (3) Assess risk; (4) Prioritize; (5) Implement protective 
programs; and (6) Measure effectiveness. 

The NIPP utilizes the risk management framework as part of the overall effort to 
ensure a steady state of protection within and across the critical infrastructure/key 
resource sectors. DHS, the various sector-specific agencies and their security partners 
share responsibility for implementation of the NIPP risk management framework. Sector- 
specific agencies are responsible for leading sector-specific risk management programs, 
and for ensuring that the tailored, sector-specific application of the risk management 
framework is addressed in their respective sector-specific plans. 84 

The NIPP offers a more detailed description of how the NIPP risk-management 
framework can assist with the decision-making process. While the GAO offered a broad, 

82 U.S. Department of Homeland Security, National Infrastructure Protection Plan - Executive 
Summary (Washington, DC: U.S. Department of Homeland Security, 2006), 1-5. 

83 Ibid., 29. 

84 Ibid., 30. 
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simplistic framework, the NIPP digs deeper into the core elements of each component to 
leam how they apply to the decision-making process. 

The methodology for the analysis will remain the same. Each component is 
examined through the eyes of the homeland security decision maker. The component 
represents the phase or stage within the framework; the core elements represent the 
foundation upon which the component is built. The analysis will also identify 
commonalities and distinct differences between the NIPP and the GAO processes. 



Continuous Improvement to enhance protection of CI/KR 


Figure 8. NIPP Risk Management Framework85 

The NIPP describes this component as a way to 
define specific outcomes, conditions, end points, or 
performance targets that collectively constitute an 
effective protective posture. This description is 
based on the achievement of a robust, protected, and resilient infrastructure requiring 
national and sector-specific homeland security goals that collectively represent the 
desired security posture. 86 The NIPP further outlines descriptive elements to support the 
Set Security Goals Component of the framework by narrowing the scope and focusing on 
security goals as they relate to sectors. The bullets below are viewed from a sector 
perspective representing security goals and their related supporting objectives: 

86 U.S. Department of Homeland Security, National Infrastructure Protection Plan, 2006, 29. 

86 Ibid., 31. 
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• Define the protective (and, if appropriate, the response or recovery) posture 
that security partners seek to attain; 

• Express this posture in terms of objective metrics and the time required to 
attain it through specific supporting objectives; 

• Consider distinct assets, systems, networks, operational processes, business 
environments, and risk management approaches; 

• Vary according to the specific business characteristics and security landscape 
of the affected sector, jurisdiction or locality. 

The NIPP refers to the above items from a collective standpoint, suggesting that 
these goals can guide all levels of government and the private sector in tailoring 
protective programs and activities to address CI/KR protection needs. 87 The NIPPs 
support for this component is clear in the elements provided above. The NIPP lays out a 
foundation in which this component can be reflective. The four elements described above 
enhance decision making, particularly for the Strategic DM. This was not the case in the 
GAO model, which left the decision maker to determine how goals and objectives were 
to be decided. There is also more description for the decision maker in setting security 
goals. 


87 U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 29. 
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(NIPP) Set Security Goals 

Strategic DM 

The Strategic DM can find utility in each element of the Set Security Goals 
Component for developing a COA. The elements build upon one another, and can 
benefit the Strategic DM for both long-term and short-term goals. As an example, the 
first element is to define the protective (and, if appropriate, the response or recovery) 
posture that security partners seek to attain. The Strategic DM can identify what 
levels of protection are needed to, for example, safeguard chemical plants. The 
Strategic DM develop supporting objectives, and then consider distinct assets, 
systems, and networks that represent the operational processes needed to support 
objectives, and to conduct security for chemical plants in given a jurisdiction or 
locality. 

Operational DM 

Premature in the process for Operational DM to be effective unless threat is 
imminent. The Operational DM may offer guidance to the Strategic DM for 
appropriate response- or recovery-related missions. 

Tactical DM 

Premature in the process for Tactical DM to be effective unless threat is imminent. 
The Tactical DM may offer guidance to the Operational DM based on execution 
strategies for a given environment. An example would be levels of personal protective 
equipment (PPE) for entities responding to a chemical facility containing chlorine. 

Analytical DM 

The Analytical DM will support the security goals by identifying distinct assets, 
systems, networks, operational processes, business environments, and risk 
management approaches to best support the SSP. 

Intuitive DM 

Premature in the process for Intuitive DM to be effective. 

Capability Based 
DM 

Capability Based DM can set security goals based on specific business characteristics 
and the security landscape of a given sector, jurisdiction or locality. The Capabilities 
can then be defined as through MAs and TCs. 


To meet its responsibilities under the Homeland 
Security Act and HSPD-7, DHS maintains a 
comprehensive national inventory of the 
information needed to identify those assets, 
systems, networks, and functions that make up the nation’s CI/KR. This information may 
be different for each sector because it is collected on an asset, system, network, or 
function basis, as determined by the fundamental characteristics of each sector. 88 DHS 
compiles the inventory in a manner that enables it to be quickly scanned, searched, and 
analyzed. This allows DHS to rapidly identify the assets, systems, networks, or functions 
that may be the subject of emergent terrorist statements or interest. DHS maintains the 
inventory in the National Asset Database (NADB) that is meant to be used as support to 


Identify Assets, Systems, 
Networks, and Functions 


88 U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 31. 


48 















domestic incident management by helping to inform decision making, establish strategies 
for response, and identify priorities for restoration, remediation, and reconstruction. 

According to a Congressional Research Service Report, many critics of the 
NADB have assumed that it is (or should be) DHS’s list of the nation’s most critical 
assets. According to the report, critics are concerned that the database, in its current fonn, 
is being used inappropriately, as the basis upon which federal resources, including 
infrastructure protection grants, are allocated. DHS refutes these assumptions and 
characterizes the NADB not as a list of critical assets, but rather as a national inventory 
from which various lists of critical assets are produced. As such, DHS maintains that the 
database is just the first step in its risk-management process as outlined in the NIPP. 89 

The utility of the NADB can assist the decision maker. If the creators of the 
database intended to support incident management decision making, the NADB should be 
current, and populated in a manner suggested in the NIPP, i.e., by using a bottom-up and 
top-down approach. The bottom-up approach should include an aggregate assessment at 
the facility level with regard to both on-site and off-site consequences to the facility’s 
mission, as well as the surrounding population, that could result from natural disasters, 
accidents, or terrorist attacks. A top-down approach normally includes an assessment of 
key missions, and the identification of high-level processes, capabilities, and functions on 
which those missions depend. 90 

The Identify Assets, Systems, Networks, and Function Component (IASNF) was 
not a component of the GAO framework. From the contents of the NIPP, we are able to 
extract the elements that support this component of the NIPP framework. It is also 
important to note the context in which IASNF is utilized. Throughout this paper, assets, 
systems, networks, and functions are referred to as operational elements (see footnote 7). 
In this sense, they represent CI/KR. The elements below will assist with the analysis of 
the decision-making processes table. 


89 Congressional Research Service, Critical Infrastructure: The National Asset Database 
(Washington, DC: Congressional Research Service, September 14, 2006), Summary. 

90 U.S. Department of Homeland Security, National Infrastructure Protection Plan, 2006, 32. 
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• System components that are essential to the infrastructure mission and function; 

• Dependencies and interdependencies (i.e., what an asset depends on in order to 
function, and which assets are reciprocally dependent upon it); 

• Specific information on the asset, system, network or function needed to support 
consequence analysis; 

• Assessment information that would enable DHS to conduct further comparative 
risk analysis in cooperation with SSAs, the private sector, other security partners, 
or subject matter experts. 


(NIPP) Identify Assets, Systems, Networks, and Functions 


Strategic DM 

The Strategic DM can use this component of the framework to further assist with 
developing goals, objectives, and setting a COA. Each element uniquely provides the 
Strategic DM with evidence of how to protect a particular category of critical 
infrastructure. The NADB would be an optimal starting point for the Strategic DM to 
outline the system components that are essential to the infrastructure mission and 
function. The Strategic DM can develop a COA based on this information and protect 
the most vital components of that particular infrastructure. 

Operational DM 

The Operational DM can review the assets, systems, networks, and functions for a 
particular set of critical infrastructure, and evaluate methods for deterring penetration 
and the detection of terrorist activity. 

Tactical DM 

The Tactical DM can also review the assets, systems, networks, and functions for a 
particular set of critical infrastructure, and to evaluate protective measures and 
response operations from a tactical perspective. 

Analytical DM 

The Analytical DM looks to the assets, systems, networks, and functions component 
to begin developing risk assessment strategies specific to critical infrastructure. The 
Analytical DM can extract pertinent information relative to system components 
essential for function, dependencies and interdependencies of an asset, and generate 
risk analysis products for the Assessment of Risk Component. 

Intuitive DM 

Premature in the process for Intuitive DM to be effective. 

Capability Based 
DM 

By identifying assets, systems, networks, and functions, the Capability Based DM can 
identify what TCs are essential for the prevention, protection, response, and recovery 
for a particular sector. 

_ 

Various methodologies are available to facilitate risk 


assessment. Many owners and operators use risk 
assessment methodology as a component of their 
business continuity and disaster mitigation planning. A 
common approach based on a robust understanding of 
existing methodologies is needed to enable the setting of 
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protection priorities across sectors. 91 The NIPP acknowledges that the first element of 
this approach is to establish a common definition and process for analysis of the basic 
factors of risk for CI/KR protection. In Chapter II, we recognized the relevance of these 
elements by identifying them in government documents, publications, and testimony 
from DHS Secretary Michael Chertoff. From this, we concluded that these core elements 
helped to establish a broader understanding of terrorism risk (see Figure 1). The NIPP 
identifies these elements within the Assess Risk Component as a function of 
consequence, vulnerability, and threat. Within each element exists baseline criteria that 
can assist the decision maker by way of assessment and analysis. For each of the 
elements, we will look at some of the suggested steps and tools offered by the NIPP that 
can assist the decision maker. 

Consequence: This constitutes the negative effects on public health and safety, 
the economy, public confidence in institutions, and the functioning of government, both 
direct and indirect, that can be expected if an asset, system, or network is damaged or 
disrupted by a terrorist attack, natural disaster, or other incident. 92 

In the NIPP framework, consequence is measured as the range of loss or damage 
that can be expected. Consequences that are considered at the national level are divided 
into four main categories: 

• Human impact: Effect on human life and physical well-being (e.g., fatalities, 
injuries); 

• Economic impact: Direct and indirect effects on the economy (e.g., cost to 
rebuild the asset, cost to respond to and recover from attack, downstream costs 
resulting from disruption of product or service, long-term costs due to 
environmental damage); 

• Impact on public confidence: Effect on public morale and confidence in national 
economic and political institutions; 

• Impact on government capability: Effect on the government’s ability to maintain 
order, deliver minimum essential public services, ensure public health and safety, 
and carry out national security-related missions. 93 


91 U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 35. 

92 Ibid. 

93 Ibid. 
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These criteria provide the decision maker only with what is relative to 
consequences. A consequence assessment tool would certainly enhance the decision 
maker’s ability to make better-informed decisions if the tool examined the inherent 
characteristics of assets, systems, or networks to identify worst-case consequences that 
are likely to result if the CI/KR in question is destroyed, incapacitated, or exploited. DHS 
is sponsoring the development of a suite of tools based on the Risk Analysis and 
Management for Critical Asset Protection (RAMCAP) framework that satisfies the 
baseline criteria for risk assessment, and can be used for national cross-sector risk 
assessment. This tool set enables owners and operators to calculate potential 
consequences and vulnerability to an attack using a consistent system of measurements. It 
also provides the means to convert and compare the results obtained from assessments 
performed with other suitable methodologies that are consistent with the NIPP baseline 
criteria. 94 

Vulnerability: This is the likelihood that a characteristic of, or a flaw in, an asset 
or network’s design, location, security posture, process, or operation renders it 
susceptible to destruction, incapacitation, or exploitation by terrorist or other intentional 
acts, mechanical failures, and natural hazards. 95 

• Detennining an appropriate vulnerability assessment strategy (e.g., self- 
assessment, state or federally led assessment, expert reviews, or independent 
third-party assessment); 

• Identifying a methodology/tool appropriate for the particular type of asset, 
system, or network under consideration; 

• Identifying and grouping vulnerabilities using common threat scenarios; 

• Identifying dependencies and interdependencies with other assets and 
sectors; 

• Considering vulnerabilities associated with physical, cyber, and human 
elements; 

• Analyzing benefits of existing protective programs; 

• Assessing residual gaps to detennine unresolved vulnerabilities. 


94 U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 37. 

95 Ibid. 
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An assortment of vulnerability-assessment approaches are used by the different 
CI/KR sectors. The primary vulnerability-assessment methodologies used in each sector 
are described in the respective SSPs. The SSPs also provide specific detail regarding how 
the assessments can be carried out (e.g., by whom, how often). 96 The vulnerability 
assessment can fulfill the many unanswered gaps that a decision maker may need to call 
upon prior to developing a preparedness strategy or COA. But, as stated in the 
consequence assessment, the tools that deliver the metrics and analysis provide support 
for the decision maker. 

Threat: It is the likelihood that a particular asset, system, or network will suffer 
an attack or an incident. In the context of risk from a terrorist attack, the estimate of this 
is based on the analysis of the intent and the capability of an adversary. In the context of 
natural disaster or accident, the likelihood is based on the probability of occurrence. 97 

The remaining factor to be considered in the NIPP risk-assessment process is the 
analysis of threat. In the context of terrorist risk assessment, the threat component of the 
analysis is calculated based on the likelihood of a terrorist attack method on a particular 
asset, system, or network. The estimate of this likelihood is based on an analysis of intent 
and capability of a defined adversary. The incident management, disaster response, public 
safety, and other communities have developed and use various tools to estimate the threat 
of natural disasters and accidents. These tools include such analytical aids as the models 
used by the National Hurricane Center (NHC) to forecast hurricane landfall and the fault 
tree models used by the National Regulatory Commission (NRC) in nuclear power plant 
engineering analysis. Because similar models are not yet in broad use for terrorist threats, 
the NIPP provides an augmented framework for the terrorist aspects of threat analysis. 98 

To assist the decision maker, the NIPP identifies a tool and function that will 
funnel threat information and intelligence to homeland security leaders. The DHS 
Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) conducts integrated 


96 U.S. Department of Homeland Security, National Infrastructure Protection Plan, 2006, 38. 

97 Ibid., 35. 

98 Ibid., 38. 
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threat analysis for all CI/KR sectors." HITRAC develops analytical products by 
combining intelligence expertise based on all-source information, threat assessment, and 
trend analysis, with practical business and CI/KR operational expertise informed by 
current infrastructure status and operations information. Tools such as HITRAC are being 
developed on a smaller scale at statewide fusion centers with the full intention of sharing 
critical threat analysis with infrastructure stakeholders. 

The NIPP suggests that risk assessments for CI/KR protection consider all three 
components of risk, and are conducted on an asset, system, network or function basis, 
depending on the fundamental characteristics of the infrastructure being examined. The 
NIPP establishes baseline criteria for risk assessment methodologies that can provide a 
guide for improving the decision-making process. This component of the NIPP 
framework digs a lot deeper into the intricacies of each element, and even identifies tools 
and functions that can assist with the decision-making process. 

Both the GAO and NIPP recognize the essential elements of risk assessment and 
place both of these components at the center of the risk management framework process. 
The context in which the elements are described in the NIPP make it easier for the 
decision maker to understand how risk assessment methodologies can be of assistance. 
The table below is meant to extract the core elements from the Assess Risk Component, 
and further enhance each of the decision-making processes. 


" U.S. Department of Homeland Security, National Infrastructure Protection Plan, 2006, 40. 
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(NIPP) Assess Risks 


Strategic DM 

The Assess Risk Component outlines the criteria from which the Strategic DM can 
draw. The elements of consequence, vulnerability, and threat, coupled with the 
suggested baseline criteria and tool enhancements, offer the Strategic DM a larger 
pool of relative risk assessment principles. A robust framework of risk assessment 
methodologies integrated with the appropriate tools for SSAs can assist with strategic 
decisions that are oriented toward preparedness strategies, resource allocations, and 
situational courses of action. 

Operational DM 

The Operational DM can make better informed decisions based on baseline criteria 
and tool enhancements. By understanding the elements of consequence, vulnerability, 
and threat through the principles of assessment and analysis suggested by the NIPP, 
the Operational DM can support a COA that may require a robust detection and 
deterrence mission by identifying and grouping vulnerabilities using common threat 
scenarios. 

Tactical DM 

The Tactical DM relies on assessing risks for identifying adversarial capabilities. As 
suggested through by the NIPP, tools such as HITRAC can assist the Tactical DM by 
identifying the most frequently used methods of attack by terrorists for a given sector. 

Analytical DM 

The Analytical DM process would rely on a suite of tools that are appropriately 
tailored to the problem. The Analytical DM factors in assets, systems, networks, 
processes, and capabilities that are significant to the core elements, i.e., threat, 
vulnerability, and consequence. The NIPP suggests the assessment be specific to a 
sector or region. 

Intuitive DM 

The Intuitive DM may identify with an element of the Assess Risk Component that 
may necessitate immediate action, and that could transition directly into the 
Implement Protective Programs Component. 

Capability Based 
DM 

The elements of assessing risk will drive Capability Based DM. Threat, vulnerability, 
and consequence are all linked to the MAs and TCs discussed in Chapter II. 
Capability Based DM will rely on the risk assessment and analysis for those MAs and 
TCs that will have the greatest impact in driving down risk. 


1 The NIPP risk management framework provides the process for 


developing comparable estimates of the risk relevant to CI/KR. 

The framework is applicable to risk assessments on an asset, 

system, network, function, sector, state, regional, or national basis. The NIPP also 
suggests that the prioritization process provides infonnation that can be used during 
incident response to inform decisions regarding issues associated with CI/KR restoration. 
The NIPP delineates this process into two related activities: The first determines which 
sectors, regions, or other aggregation of CI/KR assets, systems, networks, or functions 
are subject to the highest risk as calculated using the NIPP risk management framework. 
Those exposed to the greatest risk are accorded the highest priority in risk management 
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program development. The second activity determines which protective actions are 
expected to provide the greatest mitigation of risk for any given investment. The risk 
management initiatives that result in the greatest risk mitigation for the investment 
proposed are accorded the highest priority in program design, resource allocation, 
budgeting, and implementation. This approach ensures that programs make the greatest 
contribution possible to overall CI/KR risk mitigation in the context of resources 
available. 100 

The GAO framework utilized an Alternatives Evaluation Component, whereas the 
NIPP suggests a more prioritized approach. The GAO concept is based more on a 
decision-making process than the NIPP concept, which is still meant to identify risk as 
the primary driver for the decision maker. As outlined by the NIPP, this component of the 
framework makes sense for the decision maker due to the vast problem space associated 
with homeland security. A prime example is identifying UASI Regions within states. 
These regions are developed based on the assets, systems, networks, and functions that 
are most densely populated within a given region of a state. They may also represent a 
higher risk landscape and require more security approaches. Therefore, prioritization 
becomes essential for grant funding as well as resource allocation. 


100 U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 43. 
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(NIPP) Prioritize 


Strategic DM 

The Strategic DM can find great utility in implementing a prioritization strategy. A 
primary use of prioritization is to inform resource allocation decisions, such as where 
protection programs should be instituted. The Strategic DM may also rely on the risk 
assessment process so that empirical information can generate a strategy for 
prioritizing resources. This component is a very strategic-oriented phase within the 
NIPP framework for preparedness planning. 

Operational DM 

Based on what the Strategic DM deems to be a prioritized asset, system, network, or 
function, the Operational DM can acclimate to the components that would lead to the 
implementation of protective programs. 

Tactical DM 

The Tactical DM determines what tactical requirements may be needed for a response 
to a prioritized asset, system, network, or function. An example would be tactical 
teams deployed within a chemical facility that would require proper PPE. 

Analytical DM 

The Analytical DM can identify or develop a suite of tools that are tailored for 
prioritized assets, systems, networks, or functions. For example, the Analytical DM 
would not use the same vulnerability assessment tool for stadiums as it would for 
dams due to the different methods of a potential attack. 

Intuitive DM 

The Intuitive DM may use intelligence products, and may chose to vary prioritization, 
based on the reliability of those products. 

Capability Based 
DM 

The Capability Based DM may determine which capabilities are necessary for 
protective actions against multiple threat scenarios that target prioritized assets, 
systems, networks, and functions. By building a sustainable capacity of capabilities, 
risk can be driven down for prioritized CI/KR. 


1 According to the NIPP, the nation’s CI/KR is widely 


HMfRMiWnVjPRHRPHH distributed in both a physical and a logical sense. 

Effective CI/KR protection requires both distributed 

implementation of protective programs by security 

partners and focused national leadership to ensure implementation of a comprehensive, 
coordinated, and cost-effective approach. At the implementation level, protective 
programs consist of diverse actions undertaken by various security partners. From the 
leadership perspective, programs are structured to address coordination and cost- 
effectiveness. 101 

The NIPP describes protective actions involving measures designed to prevent, 
deter, and mitigate the threat, to reduce vulnerability to an attack or other disaster, to 
minimize consequences, and to enable timely, efficient response and restoration in a post- 


101 


U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 45. 
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event situation. There is great necessity in the protective actions that represent the core 
elements for this component of the framework. The GAO implies that during the 
implementation and monitoring phase, preparedness actions should be implemented. This 
component of the NIPP acknowledges that protective actions reduce risk by addressing 
each of the risk assessment elements of threat, vulnerability, and consequence. The 
protective actions described below vary across a spectrum of activities, but are of great 
value to the decision maker: 

• Deter: Cause the potential attacker to perceive that the risk of failure is greater 
than that which they find acceptable. Examples include improved awareness and 
security (e.g., restricted access, vehicle checkpoints) and enhanced police and/or 
security officer presence; 

• Devalue: Reduce the attacker’s incentive by reducing the target’s value. 
Examples include developing redundancies and maintaining backup systems or 
key personnel; 

• Detect: Identify potential attacks and validate and/or communicate the 
information, as appropriate. General detection activities include intelligence 
gathering, analysis of surveillance activities, and trend analysis of law 
enforcement reporting. For specific assets, examples include intrusion-detection 
systems, network monitoring systems, operation alarms, surveillance, detection 
and reporting, and employee security-awareness programs; 

• Defend: Protect assets by preventing or delaying the actual attack, or reducing an 
attack’s effect on an asset, system, or network. Examples include perimeter 
hardening by enhancing buffer zones, fencing, structural integrity, and cyber 
defense tools such as antivirus software. 102 

In addition to the protective actions, the NIPP suggests that protective programs 
should focus on the overall preparedness aspects for reducing risk. These programs can 
li nk the necessary actions that would benefit the decision maker when faced with a 
critical incident. The following preparedness functions are built into driving down risk, 
and are linked to the actions by decision makers throughout various levels of the 
framework. 

• Mitigate: Lessen the potential impact of an attack, natural disaster, or accident by 
introducing system redundancy and resiliency, reducing asset dependency, or 
isolating downstream assets; 


102 U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 45. 
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• Respond: Activities designed to enable rapid reaction and emergency response to 
an incident, such as conducting exercises and having adequate crisis response 
plans, training, and equipment; 

• Recover: Allow businesses and government organizations to resume operations 
quickly and efficiently, such as using comprehensive mission and business 
continuity plans that have been developed through prior planning. 103 




(NIPP) Implement Protective Programs 

Strategic DM 

The Strategic DM can develop a preparedness strategy or a situational COA by 
ensuring that the Implementation of Protective Programs Component is compatible to 
the asset, system, network, function, sector, or region. 

Operational DM 

The Operational DM can utilize the protective actions of deterrence, detection and 
defense to support a COA that is specific to an asset, network, system, or function, 
sector, or region. Based on threat, intent and capability, the Operational DM can 
ensure the adequate protective actions are employed. 

Tactical DM 

The Tactical DM can focus on the threat, capability, and intent, and ensure that the 
operational protective actions are executed. The Tactical DM may also rely on an 
intuitive COA, if necessary. 

Analytical DM 

The Analytical DM can support the preparedness strategy by supporting the Strategic, 
Operational, and Tactical DMs with adequate analysis and assessment that is tailored 
to the protective actions. 

Intuitive DM 

The Intuitive DM is vital during the execution phase for this component of the 
framework. Protective actions may be dynamic and require Intuitive DM to defeat a 
given threat or attack. 

Capability Based 
DM 

Protective programs are based on capabilities. Capability Based DM supports every 
aspect of the protective actions and preparedness functions. 


According to the NIPP, the Measuring Effectiveness 
Component drives continuous improvement of CI/KR 
risk-mitigation programs at the sector level and overall 
program performance at the national level. The NIPP uses a metrics-based system to 
provide feedback on efforts to attain the goal, as well as supporting objectives. The 
metrics also provide a basis for establishing accountability, documenting actual 
performance, facilitating diagnoses, promoting effective management, and reassessing 
goals and objectives. Metrics offer a quantitative assessment to affirm that specific 
objectives are being met, or to articulate gaps in the national effort or supporting sector 
efforts. The assessment enables the identification of corrective actions, and provides 

103 U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 47. 

59 


Measure Effectiveness 















decision makers with a feedback mechanism to help them make appropriate adjustments. 
It can also provide qualitative insights to help make informed decisions. Cost-benefit 
analyses of programs, lessons learned from exercises, actual incidents, and alerts provide 
additional objective input into the process. 104 


(NIPP) Measure Effectiveness 

Strategic DM 

The Strategic DM can utilize the Measure Effectiveness Component to ascertain 
whether the components and other elements of the framework are enhancing 
homeland security preparedness strategies. 

Operational DM 

The Operational DM can utilize the elements of the Measure Effectiveness 
Component through exercises, lessons learned, and actual incidents in order to 
enhance qualitative insights to make better informed decisions for an identified COA. 

Tactical DM 

The Tactical DM can also utilize the elements of the Measure Effectiveness 
Component through exercises, lessons learned, and actual incidents in order to 
enhance qualitative insights to make better informed decisions for an identified COA 
that requires action and execution. 

Analytical DM 

The Analytical DM can utilize the metrics that offer a quantitative assessment to 
affirm that specific objectives are being met, or to articulate gaps in the state/region 
effort or supporting sector efforts. 

Intuitive DM 

The NIPP’s description of the Measure Effectiveness Component adds to the 
experience and improves pattern recognition based on the knowledge that the 
Intuitive DM can gain through exercises, lessons learned, and actual incidents. 

Capability Based 
DM 

Capabilities are measured and evaluated during exercises and actual incidents. The 
Capability Based DM can utilize the aspects of the Measure Effectiveness Component 
to ascertain various levels of capabilities through scenario enhancements. 


The NIPP framework is clearly articulated in the text from the National 
Infrastructure Plan (NIP). This makes it easier to define the core elements within each 
component of the framework. From the decision maker’s perspective, the definitive 
elements are what surfaced throughout the analysis of the framework. From these 
elements, the principal decision-making process interpreted the value for that particular 
component. 

The feedback loop illustrated at the conclusion of the Measure Effectiveness 
Component suggests that components of the framework are dependent upon one another. 
This dependency allows the framework to be fluid, and presents a step-by-step approach 
for the decision maker to follow. Central to the framework is the Assess Risk 

104 U.S. Department of Homeland Security, National Infrastructure Protection Plan 2006, 48. 
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Component. This component produced the elements of threat, vulnerability, and 
consequences. An essential theme to this paper, and as was defined as a focal point for 
terrorism risk, are these three elements. The Assessment of Risk Component generated 
elements reflective of baseline criteria and tool enhancements for risk assessment 
methodologies. Although there are discrepancies in how effective these tools have been, 
the NIP document acknowledges that risk assessment tools are required for decision 
makers to make better-informed decisions. 

4. The International Risk Governance Council (IRGC) Framework 

Ortwin Renn, the creator and author of a white paper on the IRGC Risk 
Governance Framework, describes it as “an integrated analytic framework for risk 
governance which provides guidance for the development of comprehensive assessment 
and management strategies to cope with risks, in particular at the global level. 105 Renn 
and the IRGC chose to use the tenn “risk governance” with the intention of representing 
the many different groups in society, from governments to individuals — who 
collectively make decisions. These principles underpin IRGC’s view that risk governance 
includes the actors, rules, conventions, processes, and mechanisms concerned with how 
relative risk information is collected, analyzed, and communicated, and how management 
decisions are taken. 106 Ross asserts that the IRGC chose the tenn “risk governance” due 
to the varying several schools of thought on the proper definitions and hierarchical 
relationship between the terms “risk assessment,” “risk analysis,” and “risk 
management.” In Ross’s analysis of the IRGC Risk Governance Framework, he finds 
utility in the term “governance” and combines it with the principles of risk management, 
thus creating “risk management/governance.” 107 


105 Renn, “White Paper on Risk Governance: Towards an Integrative Framework,” 11. 

106 Renn and Katherine D. Walker, Global Risk Governance: Concept and Practice Using the IRGC 
Framework. (Berlin, Germany: Springer Publishing, 2008). Xxvi. 

107 Robert Ross, “Risk and Decision Making in Flomeland Security,” Attachment B. 
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The IRGC framework offers a much more comprehensive approach than both the 
GAO and NIPP, but has yet to be utilized within the security studies field. 108 The 
framework’s process for dealing with risk comprises five phases: pre-assessment; risk 
appraisal, risk characterization/evaluation; risk management; and risk communication 
(Figure 9). The framework also distinguishes between a management sphere (containing 
decision making and implementation) and an assessment sphere (containing risk 
appraisal). The pre-assessment, characterization/evaluation and communication phases 
are in both spheres because, although the IRGC strongly endorses the separation of risk 
appraisal and management, these three other phases need the combined efforts of the 
people responsible for both. The IRGC positions risk communication at the center of the 
framework to reflect its crucial role throughout — rather than at a particular point of — 
the entire process. The IRGC framework is, therefore, deliberately open, interlinked, and 
iterative. 109 


108 in a received email from the author Ortwin Renn, he encourages the use of the IRGC framework 
for due to the generic principles that are well suited to deal with a large variety of risks including security 
issues. 

109 Renn and Walker, Global Risk Governance. 
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Figure 9. IRGC Risk Governance Framework Core Process 110 

The IRGC framework is very comprehensive and offers a different view of how 
risk can be managed through the utility of a governing framework. Ross suggests that a 
particular advantage of the IRGC Core Process is the distinction drawn between the 
Assessment and Management Spheres. * 111 This distinction makes the IRGC framework 
unique; however, it does acknowledge that certain components need the combined efforts 
of people representing both the Management and Assessment Spheres. The analysis for 
this framework will be consistent with the two spheres. Rather than utilize the principal 
decision-making processes for each component, we will delineate this process into the 
Assessment Sphere: Generation of Knowledge, and the Management Sphere: Decision on 
and Implementation of Actions. As suggested by the IRGC, the pre-assessment, 
characterization/evaluation and communication phases are in both spheres, and will be 
acknowledged through the principal decision-making processes. 


110 Renn, “White Paper on Risk Governance: Towards an Integrative Framework,” 13. 

111 Robert Ross, “Risk and Decision Making in Homeland Security,” Attachment B. 
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The purpose of the Pre-Assessment Phase is to 
capture both the variety of issues that stakeholders 
and society may associate with a certain risk, as well 
as existing indicators, routines, and conventions that 
may prematurely narrow down, or act as a filter for, 
what is going to be addressed as risk. 112 The IRGC 
suggests that these preliminary thoughts provide a systematic review of risk-related 
actions that must begin with an analysis. This first element of the Pre-Assessment Phase 
is referred to as problem framing, which essentially assists in identifying the source of the 
threat. From a homeland security perspective, problem framing can include a host of 
risks, stemming from terrorism to natural disasters. Problem framing can also assist in the 
decision-making process by narrowing the scope of the risk to a specific act of terrorism 
targeting an identified sector. 

A second element of the Pre-Assessment Phase is early warning and monitoring. 
This element is intended to support observations and indicators of potentially damaging 
events or their precursors by monitoring the environment for signals of risk. 113 Early 
warning and monitoring is a prime example of what is expected of the U.S. intelligence 
community. Figure 5B in Chapter II illustrates intelligence-collection disciplines. The 
intelligence community, through these various disciplines, is constantly implementing the 
element of early warning and monitoring. 

The third element of the Pre-Assessment Phase is referred to as screening. 
Screening is the process of sifting and selecting information about risk in order to allocate 
the risk to a particular category or to a particular control regimen. 114 As the final element 
of this phase, screening captures the essence of what has been framed as a risk problem 
and what has been monitored as a risk. An example would be the framed risk problem 
space associated with passenger rail transportation, screened for multiple attacks within 
an identified jurisdiction. 

112 Renn, “White Paper on Risk Governance: Towards an Integrative Framework.” 

113 Ibid., 24. 

114 Ibid., 25. 


Pre-Assessment 


• Problem Framing 

• Early Warning and 

Monitoring 

• Screening 


64 








The process of the Risk Appraisal Phase brings 
together the information necessary for risk 
characterization, evaluation, and management. This 
includes not just the results of scientific risk 


• Risk Assessment 

• Concern Assessment 


assessment, but also information about risk 


perceptions and economic and social implications of the risk consequence. 115 

The IRGC framework opts to use the Risk Appraisal Phase as its primary 
component for the Assessment Sphere, which captures the Risk Assessment and Concern 
Assessment elements. The IRGC envisions the Risk Appraisal Phase as having two 
process stages: First, natural and technical scientists use their skills to produce the best 
estimate of the physical harm that a risk source may induce (this is referred throughout 
the white paper as risk assessment). Second, social scientists and economists identify and 
analyze the issues that individuals or society as a whole link with a certain risk (referred 
to as concern assessment). 116 

Risk Assessment: The purpose of risk assessment is the generation of knowledge 
linking specific risk agents, such as terrorism or natural disaster, with uncertain but 
possible consequences. The final product of risk assessment is an estimation of the risk in 
terms of a probability distribution of the modeled consequences. The different stages of 
risk assessment vary from risk source to risk source. 117 The IRGC also recognizes that 
there have been many efforts to produce a harmonized set of terms that would cover a 
wide range of risks and risk domains. This was noted previously in this paper, regarding 
the utility of a common lexicon within the risk domain. The IRGC suggests, however, 
that there is agreement on basically three core components of risk assessment: 

• An identified and, if possible, estimation of the hazard; 

• An assessment of exposure and/or vulnerability; 


115 Renn, “White Paper on Risk Governance: Towards an Integrative Framework,” 79. 

116 Ibid., 34. 

117 Ibid., 27. 
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• An estimation of risk, combining the likelihood and the severity of the 
targeted consequences based on identified hazardous characteristics and the 
exposure/vulnerability assessment. 118 

The IRGC chose to use very generalized terms that could be applied to a large 
range of issues regarding risk. The tenn hazard would mirror what has been referred to as 
threat throughout this paper. It further acknowledges that the basis of risk assessment is 
the systematic use of analytical, largely probability-based methodologies. Yet these 
methodologies require a great deal of quantitative analysis and statistical data, which 
could be difficult to collect. This is the problem with trying to determine threat. We 
know it exists. We know intent and capability are linked to it. But, unless intelligence 
collectors can identify the threat, we cannot measure it. 

Earlier in this paper, references were made to the complexity and uncertainty 
associated with risk as it pertains to the homeland security problem space. The IRGC 
suggests that these two terms challenge the risk assessment process. It suggests that 
complexity refers to the difficulty of identifying and quantifying casual links between a 
multitude of potential causal agents and specific, observed facts. 119 An example of 
complexity within the homeland security domain would be the protection of critical 
infrastructure. The U.S. infrastructure is extremely large and complex. This complexity is 
compounded further when combined with the interdependencies and collateral impacts 
that one can have on another. What should be protected? How should it be protected, and 
at what cost? 

The IRGC asserts that it is essential to acknowledge, in the context of risk 
assessment, that human knowledge is always incomplete and selective, and thus 
contingent on uncertain assumptions, assertions, and predictions. 120 In this context, the 
uncertainty of risk assessment can be linked to the intelligence collection and 
dissemination process. If one assumes that a piece of threat-based intelligence is critical 


118 Renn, “White Paper on Risk Governance: Towards an Integrative Framework,” 27. 

119 Ibid., 29. 

120 Ibid., 30. 
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— but that it is uncertain whether it is indicative of an attack — are immediate preventive 
and protection actions called for, or should the situation be monitored while intelligence 
analysts wait for more information? 

The IRGC acknowledges that complexity and uncertainty exist when risk 
assessment is being applied to a particular issue or problem, especially when probabilistic 
risk assessment methodologies cannot be applied. These elements of the risk assessment 
component can improve the decision-making process when not all variables are visible, 
especially at the intuitive decision-making stage. 

Concern Assessment: Concern assessment extends beyond the scientific process 
of risk assessment. This concept relates to the concerns of social and economic 
implications of risk. What is the public’s perception of how risk is being managed? 121 
Decision makers need a better understanding of how the public perceives risk in general, 
and specific risks associated with terrorism. Risk management decisions may be 
influenced by public perceptions of risk, which may result in a shift of resource allocation 
or operational deployment strategies. Part B of Chapter IV is dedicated to risk perception 
and the passenger rail threat. It captures the social element that is intrinsic to the terrorism 
threat, and reflects the element of concern assessment. 

The IRGC refers to this component of the framework 
as being the most controversial phase for handling 
risk. Risk characterization and evaluation judges a 
risk’s acceptability and/or tolerability. A risk deemed 
“acceptable” is usually limited in terms of negative 
consequences, so that it is taken on without risk 
reduction or mitigation measures being implemented. A risk deemed “tolerable” links the 
undertaking of an activity, one that is considered worthwhile for the value-added benefit 
it provides, with specific measures to diminish and limit the likely adverse 
consequences. 122 

121 Renn, “White Paper on Risk Governance: Towards an Integrative Framework,” 34. 

122 Ibid., 36. 
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The IRGC emphasizes that the Tolerability and Acceptability Judgment Phase 
also sits in the center of the framework, adding value to both the Assessment and 
Management Spheres. While risk characterization compiles scientific evidence based on 
the results from the risk appraisal, risk evaluation assesses broader, value-based issues 
that also influence judgment, which is an inherent element of the risk management phase. 



The IRGC asserts that the risk management phase 
starts with a review of all relevant information, in 
particular that from the combined risk appraisal, 
consisting of both a risk assessment and concern 
assessment, whereby the latter is based on risk 


• Implementation 

• Decision Making 


perception studies, economic impact assessments, and the scientific characterization of 
social responses to the risk source. This information, together with the judgments made in 
the phase of risk characterization and evaluation, form the input material on which risk 
management options are assessed, evaluated and selected. 123 

This component of the IRGC framework represents the implementation and 
decision-making elements. Essential to these two elements is what the IRGC refers to as 
an assessment of risk management options. Each of these options is intended to be related 
to the reduction of risk, and to assist in the decision-making process: 

• Effectiveness 

• Efficiency 

• Minimization of external side effects 

• Sustainability 

• Fairness 

• Political and legal implementation 

• Ethical acceptability 

• Public acceptance 


123 Renn, “White Paper on Risk Governance: Towards an Integrative Framework,” 14. 
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It is the task of the risk management decision maker to ensure that each of these 
options is evaluated, selected, implemented, and monitored for effectiveness. These steps 
mirror a decision-making process, and are offered by the IRGC as an essential element 
for the risk management component of the framework. A primary theme throughout this 
paper, however, has been that decision making is being implemented at every phase of 
the risk management framework and for each component. This suggests that, although the 
IRGC recognizes decision making is a core process for risk management, it is also 
necessary throughout the entire framework. 

The remaining element of the IRGC framework is 
risk communication, which is of major importance 
throughout the entire risk-handling chain. Risk 
communication should enable stakeholders and civil society to understand the rationale 
of the results and decisions, from the risk appraisal and risk management phases, when 
they are not formally part of the process. Risk communication should also help them to 
make informed choices about risk, balancing factual knowledge about risk with personal 
interests, concerns, beliefs, and resources, when they are involved in risk-related decision 
making. 124 

Ross acknowledges the utility of communication, and states, 

government efforts to manage societal risks must be acceptable to the 
majority of those making up the society or the government will fail. This 
again points out the importance of communication. Risk Communication 
is not limited to those involved in the Framework’s Core Process. Rather, 

Risk Communication must extend to a society as a whole. 125 

Figure 10 illustrates risk communication extending beyond the interior 
components of the core process to society as whole. 


Communication 


124 Renn, “White Paper on Risk Governance: Towards an Integrative Framework,” 15. 

125 Robert Ross, “Risk and Decision Making in Homeland Security,” Attachment B. 
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Figure 10. The IRGC Risk Governance Framework Macro Context 126 


(IRGC) Assessment Sphere 

Strategic DM 

The Assessment Sphere can support the Strategic DM with developing goals and 
objectives through the combination of the Pre-Assessment and Risk Appraisal 
Components. The Strategic DM can proceed with a strategic COA due to the inherent 
elements of each component that contains problem framing, risk assessment, and 
concern assessment. 

Operational DM 

The Operational DM can utilize the Pre-Assessment and Risk Appraisal Components 
in an effort to make better-informed decisions that reflect early warning and screening 
and risk assessment. The risk assessment offers identified hazards and vulnerabilities 
from which the Operational DM can draw. 

Tactical DM 

The Assessment Sphere supports the Tactical DM through the Risk Assessment 
Component that identifies adversarial intent and capabilities. 

Analytical DM 

The Analytical DM can utilize each component of the Assessment Sphere due to the 
Communication Component that supports the connectivity of the IRGC framework. 
The Analytical DM can even cross over into the Risk Management Phase due to this 
supporting feature. The Analytical DM can utilize the risk characterization and 
evaluation to determine if the risk is acceptable or tolerable. 

Intuitive DM 

The Assessment Sphere offers insight into complexity and uncertainty. These are 
elements of the risk assessment component that are referred to as unclear variables of 
risk. The Intuitive DM can be reactionary, and rely on knowledge and experience if 
faced with a complex, uncertain problem. The Intuitive DM may rely on the risk 
evaluation to assess a broader aspect of risk that requires knowledge and experience. 

Capability Based 
DM 

The Pre-Assessment and Risk Appraisal Components can support the Capability 
Based DM to make better informed decisions by identifying the hazards and 
vulnerabilities associated with risk assessment and the early warning and screening 
elements of pre-assessment. 


126 Robert Ross, “Risk and Decision Making in Homeland Security,” Attachment B. 
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(IRGC) Management Sphere 

Strategic DM 

The Management Sphere is designed to support Implementation and Decision-making 
Phases. The Strategic DM can find support in the Management Sphere throughout the 
entirety of the framework due to the Communication Component. 

Operational DM 

The Operational DM will rely on the Management Sphere for implementation, 
monitoring, and effectiveness for a COA. 

Tactical DM 

The Tactical DM will rely on the Management Sphere for implementation, 
monitoring, and effectiveness for a COA. 

Analytical DM 

As is the case for the Analytical DM in utilizing the Assessment Sphere, the same can 
be said for the Management Sphere. The Analytical DM can find utility in the 
Communication Component that supports both components of the framework. 

Intuitive DM 

The Management Sphere is supportive of implementation, monitoring, and 
effectiveness. The Intuitive DM is directly engaged in this phase of the framework in 
the event of an immediate change in COA. Complexity and uncertainty engage the 
Intuitive DM throughout the Management Sphere as well. 

Capability Based 
DM 

The Capability Based DM factors into the implementation, monitoring, and 
effectiveness elements due to the overarching support for the strategic, operational, 
and tactical decision makers. 


B. AN INTEGRATIVE RISK MANAGEMENT/GOVERNANCE 

FRAMEWORK 

1. Introduction 

This segment of the chapter will identify the commonalities and quality attributes 
that exist in each of the risk management frameworks. Based on the analysis of each 
framework, the essential components and core elements will be extracted and integrated 
into a risk management/governance framework. The risk management/governance 
framework is derived from the relative impact that each component and its core elements 
had on the principal decision-making processes. Of each of the frameworks, the IRGC 
model supports the application of a communication component that is meant to 
interconnect principles of risk, even though they are categorized as risk management or 
risk assessment principles. Communication is central to the core process, illustrating 
connectivity among all components. 

An additional feature evident in the IRGC framework acknowledges the fact that 
combined efforts of decision makers may overlap into risk management and risk 
assessment-related disciplines. This is reflected in the Management and Assessment 
Spheres. These two attributes will provide the structure for the risk 
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management/governance framework. Figure 11 illustrates the Integrative Risk 
Management/Govemance Framework that is further explained in the remainder of this 
chapter. 
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Figure 11. Integrative Risk Management/Governance Framework 
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2. Identified Commonalities and Quality Attributes for a Risk 
Management/Governance Framework 

A common component of the GAO and NIPP 
frameworks is the utility of defining strategic goals 
and objectives for a given homeland security issue or 
problem. The IRGC, however, offers a Pre- 
Assessment Component to support the decision 
maker in developing a strategy that identifies the 
source of the risk or threat. By identifying the assets, 
systems, networks, and functions, which are core elements of the NIPP framework, 
problem framing, monitoring and warning, and screening can be applied to assess the 
criticality and threat to these elements. Based on this assessment, the decision maker can 
proceed with developing security goals and objectives for a specified sector or region that 
contains these elements. 

Both the GAO and NIPP frameworks initiated the risk 
management process by setting security goals and 
objectives. This component was evident and essential for 
the strategic decision maker. The NIPP component 
referred to definitive prevention, protection, response, 
and recovery postures that security partners seek to attain. 
The elements of setting security goals and objectives in 
combination with the elements of the pre-assessment phase can support the decision 
maker in developing goals and objectives that are focused on prevention, protection, 
response, and recovery. Each identified asset, system, network, or function can be linked 
to each of these mission capabilities for a specified sector or region. 

The Integrative Risk Management/Governance Framework illustrates the pre¬ 
assessment, and setting security goals and objectives as a starting point for the risk 
management/governance process. The framework acknowledges that both components 
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are interconnected and influence decision making through both risk management and risk 
assessment principles. For example, in the case of a threat to passenger rail systems for a 
given region, the pre-assessment/security goals and objectives components will rely on 
principles relative to the Management Sphere in order to implement proper deployment 
and monitoring procedures. The principles associated with the Assessment Sphere can 
assist in identifying proper analysis tools and systems that support problem framing, and 
monitoring and warning. As a result of this interconnectivity between both risk spheres, 
the decision maker can develop the most adequate course of action that is reflective of the 
goals and objectives. 


The Risk Appraisal Component is a combination of risk 
assessment and concern assessment, which are core 
components of the IRGC framework. Essential to this 
component are the elements of threat, vulnerability, and 
consequence. Criticality, a GAO element, has been added 
to this trio. Each of the principal decision-making 
processes reflect a great deal of reliability on the 
elements of the risk assessment component throughout 
each of the frameworks. The risk assessment component 
in the GAO framework was central to the model, and factored into each of the principal 
decision-making processes throughout the cycle. The NIPP framework continually 
referred back to the core elements of threat, vulnerability, and consequence for each 
phase. The NIPP dissected each of these elements, and explained the attributes and 
enhancements that the decision maker could adopt. The NIPP also refers to analysis tools 
and systems that can support risk assessment methodologies. The decision-making 
processes reflected the need for tools that are developed using proven methodologies, and 
that are appropriately tailored for a problem or issue. 

The terms uncertainty and complexity were described in the risk assessment phase 
for the IRGC framework. Intuitive decision making is essential when faced with issues 
that are uncertain and complex. The IRGC acknowledges that complexity and uncertainty 


Risk Appraisal 


Risk Assessment 

• Threat - Vulnerability 
- Consequence - 
Criticality 

• Uncertainty - 
Complexity 

Concern Assessment 

• Risk Perceptions 

• Social Concerns 


74 



exist when risk assessment is applied to a particular issue or problem, especially when 
probabilistic risk assessment methodologies cannot be applied. Uncertainty and 
complexity reverberate throughout the homeland security problem space. Therefore, it is 
critical that tools and assessment methodologies are tailored for each of the elements, and 
are applied to identified assets, systems, networks, and functions for a specific sector or 
region. This enables the decision maker to make the best-informed decision for a given 
problem. 

Concern Assessment extends beyond the scientific process of risk assessment, and 
engages the decision maker with concerns associated with social and public perceptions 
of risk. Concern Assessment takes into account what the decision maker may not deem to 
be critical, but that may be perceived differently in the eyes of the public. For example, 
the media may report an apparent terrorist threat against the NYC subway system. The 
risk assessment, however, in conjunction with the threat analysis, may conclude that there 
is no credible threat. Protection measures may be employed as a reactionary course of 
action to mitigate the public’s perception of terrorism risk. 

The NIPP framework prioritizes assets, systems, 
networks, and functions based on the risk assessment. 
The GAO framework implements an Alternatives 
Evaluation component, implying that, while decision 
making is based on the risk assessment, it can divert if 
there is a change in strategy. The Prioritization 
Component provides information that can be used during 
the employment of prevention, protection, and response 
issues that can help inform decision makers. Each of the principal decision-making 
processes found utility in the Prioritization Component that generally led to the 
implementation phase. 

Prioritization is placed at the lower half of the Assessment Sphere for this 
framework so that the decision maker can take into account all relative assessment 
information that is generated through the Pre-Assessment, Security Goals and Objectives, 
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and Risk Appraisal Components. This is integral to the process prior to risk characterization 
and evaluation, which is aimed at judging a risk’s acceptability and/or tolerability. 

The Tolerability and Acceptability Judgment Component 
is linked with the Prioritization Component. This is meant 
to illustrate a seamless transition into the Management 
Sphere. Risk characterization and evaluation revealed that 
they both have utility for analytical and intuitive decision 
making. Prior to implementation, this component can 
assist the decision maker in moving forward with 
management selection, monitoring, and measuring effectiveness. 

Throughout this paper, risk management has been defined 
as the overarching principle responsible for decision 
making and driving down risk. Each framework reflects a 
combination of risk principles that are meant to drive the 
decision-making process. The GAO framework illustrated 
a decision-making process and included risk assessment 
as a component. The NIPP also reflected a decision¬ 
making process, but detailed the elements of each 
component. In both frameworks, the principal decision-making process found utility in the 
final phase of the process. The IRGC includes risk management as a component of its core 
process, illustrating that risk management and risk assessment integrate with one another 
throughout the process. 

This component of the risk management/governance framework is assembled to 
illustrate the utility of combining the final components of the GAO and NIPP frameworks — 
management selection, implementation, monitoring, and measuring effectiveness — into the 
Risk Management Phase. With communication as a central component to the process, risk 
management and risk assessment can support one another. 
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IV. PASSENGER RAIL TRANSPORTATION RISK PROBLEM 

SPACE 


A. OVERVIEW OF THE PASSENGER RAIL TRANSPORTATION SECTOR 
THREAT 

1. Introduction 

In its historic report, the 9/11 Commission stated, 

While commercial aviation remains a possible target, terrorists may turn 
their attention to other modes. Opportunities to do harm are as great, or 
greater, in maritime surface transportation. Initiatives to secure shipping 
containers have just begun. Surface transportation systems such as 
railroads and mass transit remain hard to protect because they are so 
accessible and extensive. 

The U.S. government should identify and evaluate the transportation 
assets that need to be protected, set risk-based priorities for defending 
them, select the most practical and cost effective ways of doing so, and 
then develop a plan, budget, and funding to implement the effort.” 127 


The Transportation Security Administration (TSA) has responded to the 
recommendations made by the 9/11 Commission, and has taken significant steps to 
improve security for the transportation sector. TSA has adopted a risk-management 
approach to guide decisions, and to maximize resources where they are most needed. The 
TSA has undertaken numerous initiatives to strengthen transportation security, 
particularly in aviation. 128 Secured cockpit doors, the Federal Flight Deck Officer 
Program, and a vastly expanded Federal Air Marshal Program have reduced the risk of 
attacks similar to those of September 11. 129 

127 The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon 
the United States, 391. 

128 Government Accountability Office, Transportation Security - Systematic Planning Needed to 
Optimize Resources, Washington, DC: Government Accountability Office, 2005, 1. 

129 Transportation Security Administration. Risk Management. 
http://www.tsa.gov/approach/risk/index.shtm (Accessed October 18, 2007). 
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The nation’s transportation sector is a vast, interconnected network of diverse 
modes. In addition to aviation, key modes of transportation include highways, motor 
carrier (trucking), motor coach (intercity bus), maritime, pipeline, rail (passenger and 
freight), and transit (buses, subways, ferry boats, and light rail). 130 Given this vast 
transportation network, quick and easy access for passengers and cargo must be 
maintained while identifying the best possible strategies for security. In recent years, the 
most devastating terror attacks have been against passenger rail infrastructure. Rail 
infrastructure continues to be targeted on a transnational front, resulting in mass 
casualties and widespread disruption. The London and Madrid bombings opened the eyes 
of homeland security practitioners as to the devastation and possibilities of similar attacks 
targeting America’s transportation systems. An attack on passenger rail serves the chief 
objectives of many terrorists, which are to cause mass casualties, impact economic 
vitality, and create fear. 

This global trend of attacking rail transportation may be a shift and adaptation in 
terrorist tactics and modus operandi. Bruce Hoffman states, 

Terrorism is perhaps best viewed as the archetypal shark in the water. It 
must constantly move forward to survive and indeed to succeed. Although 
survival entails obviating the governmental countenneasures designed to 
unearth and destroy the terrorists and their organization, success is 
dependent on overcoming the defenses and physical security barriers 
designed to thwart attack. In these respects, the necessity for change in 
order to stay one step ahead of the counterterrorism curve compels 
terrorists to change — adjusting and adapting their tactics and modus 
operandi, and sometimes even their weapon systems as needed. 131 

The methodology for including Hoffman’s research in this study is to illustrate the 
benefit of conducting a qualitative threat analysis central to one area of the vast homeland 
security problem space. By narrowing the scope of threat, vulnerability, and consequence 
to a specific sector and region, we can better evaluate the utility of an integrative risk 
management/governance framework for homeland security decision making. Three 
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underlying threat-analysis factors have been identified that are central to the passenger 
rail transportation sector: global attacks and threats to passenger rail transit systems; the 
terror threat to passenger rail transportation for New York and New Jersey; and analysis 
and key judgments of the New York/New Jersey passenger rail system. 

2. Global Attacks and Threats to Passenger Rail Transit Systems 

High profile terrorist attacks on rail systems in Madrid, London, and Mumbai 
illustrate that the U.S. public transportation system also is a vulnerable target. The 
abundance of passengers, combined with the need for easy access, makes securing 
passenger railways a daunting task. In his remarks before the U.S. Senate Committee, 
TSA Administrator Kip Hawley stressed that TSA must keep its focus on the highest 
priority items, which are informed and driven by the current threat environment. 132 He 
further stated that the National Intelligence Estimate indicated that, over the next three 
years, the threat will continue, with terrorists attempting transportation sector attacks on a 
grand scale. 133 

Although there have been indications of terrorist threats against U.S. passenger 
rail transportation systems, the majority of attacks have been executed abroad. These five 
high profile terrorist attacks were committed against passenger rail systems, resulting in 
multiple casualties and large-scale destruction. 

a. Moscow, Russia Metro Bombing - February 6, 2004 

Overview: A blast tore apart a metro train car in Moscow during the 
morning rush hour on February 6, 2004. The train was traveling between the 
Paveletskaya Station and the Avtozavodskaya Station around 8:40 a.m. The explosion 
occurred in the second car of the train, blowing out windows and hurtling metal pieces of 
the train in all directions. The device had an explosive power of about four to five 
kilograms of TNT. The device was similar to that used in the commuter train attack in 

132 Kip Hawley, "Implementing Recommendations of the 9/11 Commission Act of2007” testimony 
before the U.S. Senate Committee, http://www.tsa.gov/press/speeches/101607 hawlcv.shtm (Accessed on 
October 24, 2007). 
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Yessentuki in 2003, which was also constructed with large quantities of TNT. Those who 
survived were forced to walk through the dark tunnel to exit the subway. Forty people 
were killed and 122 injured. 134 

Terrorist Group: Russian officials believe that Chechen rebels were 
behind the attack, particularly terrorists affiliated with Abu al-Walid al-Ghalidi. 135 

Tactic: The main theory of investigators was that the blast was perpetrated 
by two female suicide bombers. 136 

b. Madrid, Spain Train Bombings - March 11, 2004 

Overview: 191 people were killed and more than six hundred injured when 
ten bombs detonated in four different locations on Madrid’s train line. Three of these 
bombs detonated in a train that was pulling into the Atocha Station, a busy hub for the 
commuter train line and the metro rail. The bombs were in backpacks and were detonated 
by cell phones. 137 

The Madrid attack is unique because it provides a glimpse into an 
emerging threat kn own as “home-grown terrorism.” According to Daniel Benjamin and 
Steven Simon, “...the Madrid bombings were not designed, funded, or executed by al 
Qaeda operatives. They were carried our by Muslim men, none of whom had ever been to 
an al Qaeda’s camp in Afghanistan, and only one of whom had anything that could be 
called terrorist training.” 138 Madrid demonstrated the global reach of an ideology, and 
showed all too plainly that those who hold these ideas live and work in the West, and that 
their numbers are growing, as is the danger they pose. 139 
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Terrorist Group: This group represented an extension of the global 
network of Jihad. 140 The suspects hailed from Morocco, India, Syria and Spain. In its 
claim of responsibility, the Abu Hafs al-Masri Brigade says Spain was targeted because 
of its cooperation with the U.S. war in Iraq. In response to the attacks, the ruling Spanish 
party was defeated in elections that took place four days after the incident. The incoming 
prime minister vowed to remove Spanish troops from Iraq. 141 

Tactic: The bombers envisioned that the trains would be both targets and 
delivery vehicles. Thirteen devices were timed to remotely detonate through the use of 
cell phones in the stations. The group intended that the concussion from the blast and the 
hail of glass and metal shrapnel would engulf the morning crowds on the platforms, as 
well as the passengers still on the trains. Three of the devices failed to detonate. 142 ' 143 

c. London, England Transit Bombings - July 7, 2005 

Overview: The first explosion happened at 8.50 a.m. on eastbound the 
Circle Line train, No. 204, traveling from Liverpool Street to Aldgate Station. Within one 
minute, a second explosion took place on Circle Line train No. 216, traveling westbound 
from Edgware Road to Paddington. A third bomb was detonated approximately two 
minutes later, on a southbound Piccadilly Line, No. 311. At 9.47 a.m., a fourth bomb was 
detonated on the top deck of the No. 30 bus at Tavistock Square. Fifty-two people were 
murdered and seven hundred were injured. Hundreds more were directly affected by the 
attacks, including passengers who were uninjured but potentially traumatized by the 
experience. 144 The explosions were carried out by suicide bombers, all of whom died. 145 
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The impact of the London bombing attacks shows that the infrastructure of 
the rail transportation is vast and vulnerable. Intelligence is critical in preventing such 
attacks, but oftentimes there simply isn’t any intelligence. On July 11, 2005, Prime 
Minister Tony Blair told Parliament that there was no intelligence specific enough to 
have prevented the attacks. 146 

Terrorist Group: The July 7 suicide bombers had connections to Pakistan, 
however, no evidence supported their association with a structured terrorist group. 147 The 
attacks were an indicator of the rise of Islamist radicalism, which could quite possibly be 
the greatest challenge in combating acts of terrorism in the West. 

Tactics: The bombers’ self-detonated satchels contained explosives. The 
explosive compound used can be made from easily obtainable household ingredients, 
although experts believe a trained chemist must have assisted the four suicide 
bombers. 148 


d. Mumbai, India Train Attacks - July 11, 2006 

Overview: On July 11, 2006, a series of seven explosions targeted railroad 
networks in Mumbai. In all, 190 people were killed and 625 were injured. One of the 
explosions took place in the first-class trains of the Western Railway at Jogeshwari 
Station. 149 Indian police described the attack as a coordinated terrorist act. Initial police 
reports indicated the bombs exploded over a six-minute period during the evening rush 
hour. 150 
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Terrorist Group: The Mumbai police accused a lesser- kn own militant 
outfit, Lashkar-e-Qahar (LeQ), for carrying out the coordinated terrorist attacks on 
India’s suburban trains. The LeQ is suspected to be a front organization for the Pakistan- 
based Lashkar-e-Toiba (LeT). 151 

Tactics: Operatives placed suitcases containing the explosives on the 
luggage racks in the trains. The Maharashtra state government’s Anti-Terrorist Squad 
indicated that a deadly cocktail of RDX, ammonium nitrate, and fuel oil was used in the 
blasts. They were triggered by a mechanical pencil timer. 152 

e. India-Pakistan, Train Attack - February 18, 2007 

Overview: On February 18, 2007, a series of bombs exploded on a train 
near Diwana, causing a fire that killed at least sixty-six people and injuring fifty others. 
The train, the Smajhauta Friendship Express, was traveling from Delhi to Pakistan, and 
carrying over 750 people. This service was recently resumed in January 2004, after being 
shut down for thirty years because of the conflict between the two countries over 
Kashmir. The bombs on the train were attached to bottles of kerosene. The attack 
occurred at midnight, the night before Pakistan's Foreign Minister Khurshid Kasuri was 
scheduled to visit India. The primary objective of the terrorists was to derail the improved 
relationship between India and Pakistan. 153 

Terrorist Group: No group has claimed responsibility. 

Tactics: Authorities searching undamaged train cars found two suitcases 
packed with crude, unexploded bombs, and bottles of gasoline, apparently similar to the 
devices that exploded. 154 
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3. Terror Threat to Passenger Rail Transportation for New York and 

New Jersey 

While transportation security officials have long been aware of the possible threat 
of terrorist attacks on transportation networks, these tragic events revealed vulnerabilities 
in security systems, as well as the consequences of such breaches. Passenger rail 
transportation systems are, in general, easy and effective targets. 

As early as 2002, the FBI issued a warning that A1 Qaeda might be planning to 
attack passenger trains by using operatives who had a Western appearance. The FBI 
statement had additional information suggesting that operatives might try a variety of 
attack strategies, such as destroying key rail bridges and sections of track to cause 
derailments. 155 The FBI warning was not specific to a target location in the U.S. 
However, past threats have identified that the New York/New Jersey passenger rail 
systems is on the radar screen for most terrorists. There have been three known terror 
plots targeting the New York City subway system, all of which were disrupted. 

a. Attempted Suicide Bombing Attack - July 31,1997 

On July 31, 1997, New York City police officers successfully averted a 
nail-filled pipe bomb attack on a Brooklyn subway station that was frequented by 
Orthodox Jews. The attack was to be carried out by two Palestinian immigrants — Gazi 
Ibrahim Abu Mezer and Lafi Khalil. Police were tipped off to the attack by Mezar’s 
roommate. In November 1996, Khalil had received a transit visa from the U.S. Consulate 
in Jerusalem for travel through the United States to Ecuador. But Khalil didn’t go to 
Ecuador. Instead, he boarded a flight to Syracuse, New York, and remained in the U.S. 
until his arrest in July 1997. Kahlil was convicted of having a fake immigration card; he 
spent three years in jail and was then deported. Mezer was arrested and sentenced to life 
in prison. 156 
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b. Al Qaeda Hydrogen Cyanide Attack - January, 2003 

Ron Suskind, in his book, The One Percent Doctrine, Deep Inside 
America’s Pursuit of Its Enemies Since 9/11, reports that, in 2003, al Qaeda had a terror 
plot well underway targeting the U.S. It was a hydrogen cyanide attack planned for the 
New York City subways. Al Qaeda cell members had traveled to New York through 
North Africa in 2002 to identify locations for the attacks. The poison gas would be 
released through mubtakkars, 157 which would be placed in subway cars and activated 
remotely. This attack was well past conception and early planning. However, forty-five 
days before the attacks, Ayman al-Zawahiri, Osama bin-Laden’s number two man, called 
it off. 158 


c. Herald Square Subway Bombing Plot -August 2 7, 2004 

On August 27, 2004, three days before the Republican National 
Convention, Shahawar Matin Siraj and his co-conspirator James Elshafay were arrested 
for planning to attack the Herald Square station in New York City with bombs in their 
backpacks. 159 Prosecutors said the men wanted to avenge the abuse of prisoners at the 
Abu Ghraib prison in Iraq. At the time of the arrests, the authorities said that the men 
never obtained explosives and had not been linked to known terrorist groups. James 
Elshafay pleaded guilty and testified against the mastermind of the plot, Shahawar Matin 
Siraj, who was sentenced in January 2007 to thirty years in prison. 160 

These terror plots indicate that the NYC subway system is an attractive 
target to terrorists. The NYC subway system is a component of a much larger network 
operated by the Metropolitan Transit Authority (MTA). The MTA is the largest in North 
America, serving a population of 14.6 million people in the 5,000 square-mile area, 
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fanning out from New York City through Long Island, southeastern New York state, and 
Connecticut. The NYC subway system alone covers the Boroughs of Manhattan: Bronx, 
Brooklyn, Queens, and Staten Island. There are 468 subway stations, twenty-six subway 
lines, and 6,241 subway cars. 161 Given its composition, the NYC subway system is very 
open and accessible, with fixed, predictable access points. The system’s openness would 
make it easy for potential terrorists to hide in crowds without arousing suspicion. 
Securing such a system presents transit officials and the New York City Police 
Department (NYPD) with daunting challenges. 

Just across the Hudson River, in New Jersey, is another highly accessible 
passenger rail network. NJ TRANSIT covers a service area of 5,325 square miles and is 
the nation’s third largest provider of bus, rail, and light rail transit, linking major points in 
New Jersey, New York, and Philadelphia. The passenger rail system is comprised of 
eleven trains and forty-five light-rail vehicles. NJ TRANSIT provides nearly 223 million 
passenger trips each year. 162 It is interconnected with the Port Authority Trans-Hudson 
(PATH) system at various stations. PATH is a subsidiary of the Port Authority of New 
York and New Jersey. This heavy rail transit system serves as the primary link between 
Manhattan and neighboring New Jersey’s urban communities and suburban railroads. 
PATH presently carries 227,000 passengers each weekday. 

The PATH transit systems possess a different set of security challenges 
due to its unique operating structure, and the fact that it runs through tunnels under the 
Hudson River. The New York Times reported that in July 2006, several people were 
arrested overseas in what authorities said was a plot to bomb the PATH system. The 
arrests halted what officials said was a bid to set off backpack bombs in a PATH train 
car, and flood the tunnels. Some published reports said maps and other material relating 
to the PATH tunnels had been found on the computer of one of those arrested. 163 This 
threat spiraled into another issue that surfaced regarding the vulnerability of the PATH 
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system. In December 2006, a government official gave a draft summary of an analysis of 
the PATH system to the New York Times. The official said the latest analysis indicated 
that it would take only six minutes for one of the PATH tubes to flood if a significant, but 
not necessarily very large, bomb were detonated. The New York Times also reported that 
the analysis appeared to be the most detailed and sophisticated government review of the 
train tubes’ vulnerability. The analysis revealed that the Hudson River tubes, which 
suffered serious damage in the 2001 terror attack, are more vulnerable than most other 
tunnels that pass under the city’s waterways because they lie in the soft riverbed, unlike 
other tunnels that are bored through the underlying bedrock. Over the years, silt has built 
up atop the tubes, which were laid roughly ninety years ago. 164 

4. Analysis and Key Judgments of the New York/New Jersey Passenger 
Rail System Threat 

The foreign incidents represent some of the most recent and high-profile attacks 
over a four-year period. These attacks, coupled with the threats made against the NYC 
Subway and PATH systems, illustrate the threat, target, and attack commonalities and 
characteristics. Based on these commonalities and characteristics, we can develop a threat 
analysis of the NYC Subway System, NJ TRANSIT, and PATH lines. In addition, the 
threat analysis will enable us to create a hypothetical attack scenario that targets these 
systems. Ultimately, the threat analysis is meant to evaluate the effectiveness of the 
integrative risk management/governance framework and the utility it has for the decision 
maker when faced with such a critical situation. 

A report released by the Department of Justice (DOJ) identifies an essential list of 
categories that are intended to create a foundation of data prior to conducting a thorough 
threat assessment. These categories will be the tool used for the threat analysis as it 
pertains to the New York and New Jersey passenger rail systems. 165 

1. Type/Category of Adversary: Terrorists acting alone or within groups or cells, 
who are extremely radicalized and willing to take the lives of others, who intend to cause 
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mass destruction, and in some cases take their own lives in order to inflict the greatest 
amount of harm. They can be categorized as foreign or domestic, terrorist or criminal. 166 

The four young men responsible for the London bombings are a good example of 
homegrown terrorism. These men (aged 18, 19, 22, and 30) were British citizens. 
Without prior experience or specific knowledge, they were able to organize four almost 
simultaneous bombings using homemade organic peroxide devices carried in backpacks. 
The construction of these devices did not require much expertise; the materials and 
equipment were readily available, and the plotters financed themselves at the modest cost 
of around $14,000. The bombs were built in the living room of an ordinary apartment in 
the city of Leeds. They were detonated manually in suicide attacks. The bombers were in 
contact with other Islamic extremists in the United Kingdom, but not in a sustained 
way. 167 

None of the four men had been identified as potential terrorist threats before the 
July bombings. They were largely invisible to the security services. The bombings 
showed that it may not be possible to identify significant actors in advance; nothing 
appeared to distinguish the bombers from other extremists who had not yet moved from 
talk to action. The radicalization process was apparently very quick, though, progressing 
rapidly from discussion to execution. The process was one of “self-radicalization.” It was 
not initiated or guided by an Islamic leader or the clerical authority of a radical Imam. 168 

It would be ignorant on our part to think that young Muslim men in the U.S. are 
not influenced by the global jihadist movement. With advancements in communication 
and technology, radicalizing potential jihadists through the Internet is not such a far 
reach. Benjamin and Simon report that what transforms jihadist violence is the ability to 
disseminate tactics, technical know-how, and strategy. The availability of training 
materials on the Internet, and targeting guidance that is independent of any vetting 
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process, allows volunteers to contribute to the cause immediately. The requirement for 
joining up is reduced to a simple process of self-selection. 169 


Type/Category of Adversary — Hypothetical Scenario Targeting the Passenger Rail 
System of New York/New Jersey: Three men ages 19, 20, and 22, all of whom are United 
States citizens residing in Paterson, N.J., have adopted the principles associated with 
Islamic radicalism. They are not openly engaged in the fundamental practices of Islamist 
activism, but confide in one another about their beliefs, ideological direction, and the 
forward progression of the jihadist movement. With the Presidential Election 
approaching, Osama bin Laden once again declares war on the U.S. Like all his previous 
statements, bin Laden’s message is unmistakably religious in tone and content. The three 
Paterson men take Bin Laden’s message very seriously, and begin to develop an attack 
strategy targeting the PATH transit lines. 


2. Objective of Adversary: Theft, sabotage, mass destruction, inflicting hann on 
innocent individuals that results in multiple casualties, impacting economic vitality, and 
ultimately make a socio-political statement. 170 

Some of the global attacks to passenger rail indicate that the core objective of the 
adversary was to maximize casualties and affect the socio-political positions within the 
country. The Madrid and London bombers were extremely radicalized. The religiously 
driven terrorists of the current era are distinguished from their more secular predecessors 
in their desire to kill large numbers of people on an indiscriminate basis; the 9/11 attacks 
and later operations carried out by A1 Qaeda-linked groups in Bali and Casablanca and 
other locales illustrate this. 171 

In addition to mass casualties, the Madrid and India-Pakistan attacks also had 
socio-political implications linked to their objectives — to affect the election of the Prime 
Minister in Spain, and to derail the improved relationship between India and Pakistan. On 
the domestic front, Shahawar Matin Siraj and James Elshafay were arrested for plotting 
to bomb the Herald Square station in New York City. Their objective was to avenge the 
abuse of prisoners at the Abu Ghraib prison in Iraq, yet another socio-political statement. 
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In either case, whether the objectives were driven by religion or socio-political 
statements, there was a distinct association with the radical Islamist movement. Hoffman 
states that the “...religious motive is overriding and indeed, the religious imperative for 
terrorism is the most important defining characteristic of terrorist activity today.” 172 


Objective of Adversary — Hypothetical Scenario Targeting the Passenger Rail System 
of New York/New Jersey: The Paterson group has adopted the principles associated with 
Islamic radicalism. They are individuals driven by a religious ideology. Therefore, 
violence is first and foremost a sacramental act or a divine duty executed in direct 
response to some theological demand or imperative. In this case it is bin Laden’s 
message. 173 The objective is to kill as many passengers as possible on the PATH transit 
line from New Jersey to New York, in response to bin Laden’s message. 


3. Number of Adversaries: Operatives acting within a coordinated cell or group 
of terrorists. The individual suicide bomber acting alone with no outside or group 
support. 174 

The individuals who executed the attacks in Madrid, London, and Mumbai were 
for the most part not intricately involved with an interconnected terrorist organization. In 
each case, however, the important point was that the groups were essentially local, but 
were inspired or emboldened by a global cause. The National Intelligence Estimate 
depicts this global jihadist movement, which includes the remnants of A1 Qaeda as well 
as local affiliates and imitators, as one that is spreading around the world. Self- 
radicalization at the individual level and self-generated cells at the organizational level 
are becoming more common. 175 
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Number of Adversaries — Hypothetical Scenario Targeting the Passenger Rail System 
of New York/New Jersey: The Paterson group is not linked to any external terrorist 
organization or cell. They do not need particular skills or resources in order to cause 
massive loss of life. They are self-radicalized and share knowledge retrieved from the 
Internet regarding tactics and target execution. The clerical authority that will legitimize 
their actions is solely in the words of bin Laden. 


4. Target Selected by Adversary: Critical infrastructure, government buildings, 
national monuments. 176 

The transnational historical perspective of the passenger rail threat was conducted 
to examine the possibility of passenger rail being targeted in the New York/New Jersey 
region. It was evident that this component of critical infrastructure would be difficult to 
protect and defend against any attack. It is an exceedingly soft target, and will continue to 
be an attractive one to terrorists. 


Target Selected by Adversary — Hypothetical Scenario Targeting the Passenger Rail 
System of New York/New Jersey: On several occasions the three members of the 
Paterson Group have traveled the PATH train from Exchange Place in Jersey City to the 
World Trade Center stop in lower Manhattan. They have agreed that due to the high 
volume of passengers on the PATH during rush hours, and the criticality that this mass 
transit system has to both venues, it would make for a prime target, and answer the 
calling of bin Laden’s message. 


5. Type of Planning Activities Required Accomplishing the Objective: Casing 
and photographing high-volume passenger rail systems and locations in the region. Maps 
and scheduling infonnation are available on the web. Observation of security, easy access 
points, and high-volume travel lines. The openness of the system makes it difficult to 
detect reconnaissance operations conducted by an adversary. The London bombers were 
observed on-camera while executing the attack. There was no behavioral indication that 
would have alerted authorities to take action in order to prevent the attack. The same can 
be said for other individuals who may be observing the passenger rail environment with 
expectation of carrying out an attack. 
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Type of Planning Activities Required Accomplishing the Objective - Hypothetical 
Scenario Targeting the Passenger Rail System of New York/New Jersey: The Paterson 
group has utilized the high volume of pedestrian traffic as concealment during 
reconnaissance operations of the PATH lines. They have timed departure and arrival 
times in order to identify when the train would be in the tube under the Hudson River. No 
photos were necessary; maps and schedules were retrieved from the Internet. 


6. Most Likely “Worst Case” Time an Adversary Could Attack: Past attacks 
indicate that rush hour is the optimal time. Passenger density and volume is at its peak, 
which will increase the number of casualties. Platforms at major rail exchanges are also a 
primary concern due to the high volume of transients. Previous attacks illustrate such a 
pattern: 

• Moscow, Russia, metro bombing - 8:40 a.m., morning rush hour 

• Madrid, Spain, train bombings - 7:45a.m., morning rush hour 

• London, England, transit bombings - 8:50 a.m. and 9:47 a.m., morning rush hour 

• Mumbai, India, train attacks - 6:30 p.m., evening rush hour 177 


Most Likely “Worst Case” Time an Adversary Could Attack - Hypothetical Scenario 
Targeting the Passenger Rail System of New York/New Jersey: Through observation 
and surveillance, the Exchange Place stop is at peak volume between 8:10 a.m. and 8:45 
a.m. The Paterson group has identified this time-window as the optimal time for 
execution. 


7. Range of Adversary Tactics: The tactics utilized have primarily focused on 
remote detonation with timing devices, as was the case of the Madrid, Mumbai, and 
India-Pakistan attacks. Bags and backpacks were obscured from passenger view in racks 
and under seats. 

One of the most lethal tactics is that of the suicide bomber. Terrorists have 
become increasingly attracted to suicide attacks because of their unique tactical 
advantages, compared to those of more conventional terrorist operations. Suicide tactics 
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are devastatingly effective, lethally efficient, have a greater likelihood of success, and are 
relatively inexpensive. 178 Past passenger rail attacks indicate that attacks underground or 
in tunnels have significant consequences, as with the London and Mumbai bombings. In 
addition, self detonation is less complex than remote timing devices. This can be 
appealing to the homegrown terrorist, who is less sophisticated than an operational 
terrorist group. 

Fathali M. Moghaddam, in his book From the Terrorists ’ Point of View: What 
They Experience and Why They Come to Destroy, points out that what makes suicide 
terrorism strategically effective is that it is very difficult, in practice perhaps impossible, 
to guard against. Modem economies rely on mass movements of people, particularly in 
and around major urban centers that house millions of people from different ethnic, 
religious, and national backgrounds. The diversity of the people who move across borders 
and in and out of major urban centers makes it even more difficult to screen for suicide 
terrorists. The July 2005 suicide bombings in London illustrate this point: These four 
homegrown suicide bombers were part of immigrant communities that settled in England 
but had ties to radicals in Pakistan. In essence, these were “terrorists without borders,” 
who executed a plan to bring the London transportation system to a standstill. 179 


Range of Adversary Tactics — Hypothetical Scenario Targeting the Passenger Rail 
System of New York/New Jersey: In his book Dying, to Win: The Strategic Logic of 
Suicide Terrorism , Robert Pape points out a significant component, which is common 
with the Paterson Group, is that suicide bombers often work in teams. In fact, many 
suicide attacks involve multiple individuals working together for long periods of time to 
gather intelligence, plan, and rehearse the mission. Team suicide attacks, by their nature, 
are based on extensive social interaction and require unity of purpose, features that are 
more likely associated with altruistic motives. 180 The Patterson group is committed to 
making the ultimate self-sacrifice by targeting the PATH system utilizing themselves as 
the destructive device. Their radicalism and call to honor bin Laden is their motivation. 


178 Hoffman, Inside Terrorism: Revised and Expanded Edition, 132. 

179 Fathali M. Moghaddam, From the Terrorists’ Point of View: What They Experience and Why They 
Come to Destroy (Westport, Connecticut: Praeger Security International, 2006), 123-124. 

180 Robert A. Pape, Dying to Win: The Strategic Logic of Suicide Terrorism (New York: Random 
House, 2005), 185. 
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8. Capabilities of Adversary: Past incidents reveal that most attacks are carefully 
planned and executed. Knowledge and skillful adversaries can easily weaponize devices 
that contain gasoline components and create incendiary effects. More skillful adversaries, 
who can obtain resources to build explosive devices, pose a greater threat. The London 
bombers utilized homemade organic peroxide devices carried in backpacks. 181 Although 
these were highly unstable, the expertise to make these devices did not take great skill. 


Range of Adversary Tactics - Hypothetical Scenario Targeting the Passenger Rail 
System of New York/New Jersey: The Paterson group is made up of educated young 
men. Although they have no formal training with explosives, the eldest of the three 
attends New York University and is pursuing a degree in biology. Chemistry is a 
requirement for the curriculum, and has provided him with a basic understanding of 
combining chemical compounds. He is advanced enough to create a device comprised of 
hexamethylene triperoxide (TATP), the explosive used by the London bombers. His 
objective is to create three devices, all of which are designed to be self-detonating. 


The threat analysis for the NY/NJ Passenger Rail System, coupled with the 
hypothetical scenario of the Paterson Group, is designed to create a foundation for 
conducting an evaluation of the risk management/govemance framework. The homeland 
security problem space is too large for a risk management framework that is intended to 
cut across multiple problem areas. By narrowing down the scope to a sector/region- 
specific threat, the elements of the risk management/governance framework can be 
adequately evaluated. The hypothetical scenario was developed to assist with the logical 
findings of the risk management/governance framework as an application for homeland 
security decision makers. The threat analysis covers eight categories essential for 
collecting data, which can be further filtered through a thorough threat assessment 
process. Each category correlated with the hypothetical scenario, painting a picture of a 
possible terrorist attack against the PATH Passenger Rail Lines. 


181 MIPT Terrorism: “What’s Coming the Mutating Threat,” 20. 
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B. RISK PERCEPTION AND THE PASSENGER RAIL THREAT 

1. Risk Perception and the Risk Management Framework Correlation 

The public’s reaction to the events of September 11 and its aftennath provide an 
important insight into the psychology of risk perception and response to risk. For 
example, it demonstrates the selective nature of focusing attention on different sources of 
risk or danger. Paul Slovic points out that, through the process of risk amplification, the 
adverse impact of such an event sometimes extends far beyond the direct damage to 
victims and property, and may result in massive indirect effects. 182 The indirect effect of 
September 11 made Americans realize they are no longer safe, and are vulnerable to 
international terrorist attacks inside U.S. borders. This has changed America’s perception 
of terrorism risk. 

Risk perception is the subjective assessment of the probability of a specified type 
of accident happening, in this case a threat or attack to passenger rail, and how concerned 
one is with the consequences. To perceive risk requires an evaluation of the probability as 
well as the consequence of a negative outcome. Perception of risk goes beyond the 
individual. It is a social and cultural construct reflecting values, symbols, history, and 
ideology. 183 Policy makers need a better understanding of how the public perceives risk 
in general and the specific risks associated with terrorism. Risk management decisions 
may be influenced by public perceptions of risk, which may result in a shift of resource 
allocations or operational deployment strategies. 

The risk management/governance framework analyzed for this study provides a 
logical set of actions that can produce an effective methodology for decision makers to 
follow. By further researching the components of public risk perception and the 
passenger rail threat, we can identify whether the risk management/governance 
framework takes public perception into account. 

182 Paul Slovic and Elke Weber, “Perception of Risk Posed by Extreme Events,” Paper presented at 
the conference Risk Management Strategies in an Uncertain World, Palisades, New York, April 12-13, 
2002 , 12 . 

183 Lennart Sjoberg, Bjorg-Elin Moen, Torbjorn Rundmo, Explaining Risk Perception: An Evaluation 
of the Psychometric Paradigm in Risk Perception Research, Trondheim, Norway: Norwegian University of 
Science and Technology, 2004, 8. 
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2 . 


Risk Perception and Terrorism 


Suppose for a moment that the Port Authority of New York/New Jersey receives a 
threat that large vehicle truck bombs containing radioactive material will be detonated in 
the tubes of both the Lincoln and Holland Tunnels. Both tunnels are shut down 
immediately, and all other Hudson River crossings are placed on high alert. Traffic 
diversion plans are implemented on both sides of the river, resulting in a transportation 
nightmare. Within thirty-six hours, DHS announces that the threat has passed. However, 
the Port Authority continues to divert trucks to other Hudson River crossings, causing 
immense traffic jams and motorist confusion. People begin to leave their vehicles at 
home due to the increased delays, and start to use the PATH train to travel into 
Manhattan. The PATH system is now packed with people, making it a most undesirable 
means of transportation. This illustration demonstrates the importance of perceived risk 
regarding terrorism: The perception of risk — regardless of whether a threat is actually 
present — is sufficient to cause widespread disruption. Understanding how specific 
factors drive the perception of risk is essential to understanding how people will respond 
to threats of terrorism. 184 

Since there have been a limited number of terror-related attacks on U.S. soil, it is 
unclear how Americans perceive the likelihood of an attack, to the consequences of 
different types of attacks and how the public might respond. Understanding the terrorist 
threat is critical to maintaining public morale, sustaining economic activity, and limiting 
disruption to normal daily routines. Obtaining a deeper understanding of how Americans 
perceive the terrorist threat will assist the development of policies and procedures for 
educating and preparing the nation for the impact of an act of terrorism, if it were to 
occur. 185 

Paul Slovic, in his book The Perception of Risk, discusses the utility of the 
psychometric paradigm to measure the public’s perception of risk. The psychometric 

184 Clinton M. Jenkin, “Risk Perception and Terrorism: Applying the Psychometric Paradigm,” 
Homeland Security Affairs II, no. 2 (July 2006), 1. 

185 The Society for Risk Analysis, http://www.sra.org/events 2007 meeting.php [Accessed December 18, 
2007], 
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paradigm is a theoretical framework that assumes risk is subjectively defined by 
individuals who may be influenced by a wide array of psychological, social, institutional 
and cultural factors. The paradigm assumes that, with appropriate design of survey 
instruments, many of these factors and their interrelationships can be quantified and 
modeled in order to illuminate the response of individuals and their societies to the 
hazards that confront them. 186 Slovic refers to this psychometric paradigm as a strategy 
for studying perceived risk by developing classifications of hazards that can be used to 
understand and predict responses. Within the paradigm, people make quantitative 
judgments about the current and desired riskiness of diverse hazards, and the desired 
level of regulation of each. 187 

In Clinton Jenkin’s article, “Risk Perception: Applying the Psychometric 
Paradigm,” he explains that psychometric studies have examined numerous dimensions 
of risk for scores of hazards. The commonly used dimensions are listed in Table 2. 188 


186 Paul Slovic, The Perception of Risk (London: Earthscan Publications Ltd, 2000), xxiii. 

187 Ibid., 222. 

188 Jenkin, “Risk Perception and Terrorism,”?. 
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Table 2. Qualitative Dimensions of Risk Used in the Psychometric Paradigm 189 


Voluntariness 

The extent to which exposure to the hazard is voluntary. 

Immediacy 

The extent to which the consequences are noticed 
immediately. 

Knowledge of exposure 

The extent to which a person knows if he/she has been 
exposed. 

Expert knowledge 

The extent to which experts know about the hazard. 

Controllability* 

The extent to which a victim can control the severity of 
consequences due to exposure. 

Novelty 

The extent to which the hazard is new to society. 

Catastrophic potential* 

How many fatalities occur at once. 

Dread* 

The extent to which the effects of exposure are dreaded. 

Severity* 

The extent to which the consequences of exposure are 

severe. 

Delayed 

The extent to which the consequences of exposure are 
delayed. 

Certainly fatal* 

The extent to which exposure will definitely cause 
fatality. 

Increasing* 

The extent to which the risk is increasing over time. 

Preventability* 

The extent to which the hazard is preventable. 

Inequitable* 

The extent to which risks and benefits are not equally 
distributed across society. 

Affects future generations* 

The extent to which the hazard will affect future 
generations. 

Global catastrophe* 

The extent to which the hazard threatens a global 
catastrophe. 

Easily reduced* 

The extent to which risk associated with the hazard can 
be easily reduced. 

Personal impact* 

The extent to which the risk affects the respondent 
personally. 

Observability 

The extent to which the effects of exposure are 
observable. 


Dimensions marked with a (*) were directly correlated with perceptions of risk 19 ® 


189 Jenkin, “Risk Perception and Terrorism,” 8. 

190 Ibid. 
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This multitude of dimensions can lead to very cumbersome research designs, so 
most risk studies include the dimensions most applicable to the study at hand. For 
example, a terrorism study may elect to exclude inequatability because the inequity of 
terrorism risk is not likely to be an issue, as it might be for the risk of a toxic waste dump 
or nuclear power plant. 191 

For the purposes of this research and correlation to the risk management 
frameworks, we can look at the dimensions of risk using the Psychometric Paradigm, and 
draw from it a matrix that is specific to the threat associated with passenger rail 
transportation. The matrix in Table 3 will provide us with a public risk perception (PRP) 
outlook that can be drawn upon during the risk management/govemance framework 
evaluation. 


191 Jenkin, “Risk Perception and Terrorism,” 7. 
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Table 3. Qualitative Dimensions for Public Risk Perception Matrix as it Pertains to 

Passenger Rail Transportation 


Expert knowledge 

The extent to which experts know about the hazard. 

PRP: The public’s reliance on the intelligence community’s ability 
to collect data indicating a threat directed at passenger rail 
transportation. 

Controllability* 

The extent to which a victim can control the severity of 
consequences due to exposure. 

PRP: Consequences can be mitigated due to a timely first responder 
element. 

Novelty> 

The extent to which the hazard is new to society. 

PRP: Terrorism targeting passenger rail is prominent on a global 
stage, and has had domestic implications in the U.S. 

Catastrophic potential* 

How many fatalities occur at once. 

PRP: Potential consequences of fatalities is determined by method 
of attack and targeted location. 

Severity’* 

The extent to which the consequences of exposure are severe. 

PRP: Severity of the attack is determined by method of attack, target 
location, cascading affects, public fear. 

Increasing* 

The extent to which the risk is increasing over time. 

PRP: Transnational attacks and domestic threats to passenger rail 
will increase the risk. 

Preventability* 

The extent to which the hazard is preventable. 

PRP: The openness of passenger rail transportation makes it 
difficult to prevent an attack from being executed. 

Easily reduced* 

The extent to which risk associated with the hazard can be easily 
reduced. 

PRP: Protection measures can be implemented, however, the risk is 
not easily reduced due to the vulnerabilities associated with 
passenger rail. 


Models that gauge risk perception and that can be applied to terrorism are difficult 
to evaluate. In the book Psychology of Terrorism, the authors suggest that two factors 
may be central to understanding how people assign values to terrorist incidents. The first 
factor can be described as “dread risk,” a continuum beginning with low-dread events, 
which are seen as controllable, not catastrophic, decreasing in risk over time, and 
generating little risk for future generations. Conversely, high-dread events are viewed as 
having a high mortality rate, being globally catastrophic and inescapable, and increasing 
in risk over time. 192193 


192 Bruce Bongar et al., Psychology’ of Terrorism, Oxford, New York: Oxford University Press, 2007, 
35. 

1 93 Slovic and Weber, “Perceptions of Risk Posed by Extreme Events,” 10. 
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A second factor is “u nkn own risk,” which begins at the low-risk level with well- 
understood, observable, non-novel events. If an event is high on the u nkn own risk 
dimension, it is characterized by having a delayed or persisting effect, and being a novel 
threat that is poorly understood. 194 

In evaluating the “dread risk” factor, the public perception of a terrorist attack 
being carried out against passenger rail will be considered low. However, add to the 
equation a transnational terrorist attack that targets the London underground, killing 
hundreds of people, followed by a credible threat against passenger rail for the NYC 
subway system, and the “dread risk” factor becomes a “high dread” event. The “u nkn own 
risk” factor for an attack targeting passenger rail is, for the most part, considered a low- 
risk level in the absence of a credible threat. 

To illustrate the “dread risk” and “u nkn own risk” factors, we can look at the 
October 6, 2005, threat against the NYC subway system. FBI and DHS intelligence 
sources indicated that nineteen operatives had been deployed to New York to target the 
system. Although the intelligence turned out to be non-credible, NYC Police 
Commissioner Ray Kelly and NYC Mayor Michael Bloomberg immediately 
implemented protective security measures by increasing police patrols, explosive 
detection canines, and random bag and package searches. 195 Without threat intelligence, 
the “dread risk” and “unknown risk” factors remained low. The heightened security and 
elevated alert status associated with this threat, however, increased both the “dread risk” 
and “unknown risk” factor. 


194 Bongar et at, Psychology of Terrorism, 35. 

195 ABC News website, “Police Investigate New York Subway Terror Threat,” October 6, 2005 
http://abcnews.go.com/US/storv?id=l 190231 [Accessed on December 27, 2007]. 
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V. AN INTEGRATIVE RISK MANAGEMENT/GOVERNANCE 
FRAMEWORK FOR HOMELAND SECURITY DECISION MAKING 


A. INTELLIGENCE SIMULATION FOR TERROR THREAT TO THE 

PASSENGER RAIL SYSTEM 

1. Introduction 

Chapter IV provided a qualitative risk and threat analysis based on three 
underlying threat analysis factors that are central to the passenger rail transportation 
sector: global attacks and threats to passenger rail transit systems; the terror threat to 
passenger rail transportation for New York and New Jersey; and analysis and key 
judgments of the New York/New Jersey passenger rail system. Based on this analysis, a 
hypothetical scenario was matched with categories that are intended to create a 
foundation of data prior to conducting a thorough threat assessment. This segment of the 
chapter is meant to simulate intelligence that has been collected, processed, and 
disseminated based on the hypothetical scenario. 

2. Intelligence Threat Simulation 

The Integrative Risk Management/Governance Framework can be applied to a 
variety of homeland security issues in order to evaluate the process. Rather than focus on 
resource allocation and cost-effective strategies, threat intelligence and strategic 
operational deployment strategies will be the primary driver for the framework. Earlier in 
this paper, we examined wicked problems and how they could be applied to the 
passenger rail transportation threat environment: 

• Screen every passenger or conduct random screening? 

• Screen every passenger and cause extensive delays in commuter operations? 

• Identify a threat when there is a great deal of intelligence, but nothing 
specific. 

• Identify a threat when there is no credible intelligence targeting passenger rail. 

• Identify the appropriate response when there is tactical intelligence of a threat 
targeting passenger rail, and that intelligence is specific to cell operations. 
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Clearly these are a set of issues that would intensify based on data that is 
collected, processed, and vetted through the intelligence cycle. A daunting challenge of 
the intelligence community evolves around what is relevant and what is actionable. How 
do we extract the desired intelligence from a mountain of information, and use it to drive 
down risk? 


Threat Intelligence Simulation for Passenger Rail System of New York/New Jersey 

With the 2008 Presidential election approaching, Osama bin Laden once again 
declares war on the U.S. Like all his previous statements, bin Laden’s message is unmistakably 
religious in tone and content. The underlying factor that emerges is, “Attack U.S. citizens on 
American soil. ’’ The three Paterson men take Bin Laden’s message very seriously, and begin to 
develop an attack strategy’ targeting the PATH transit lines. 

Bin Laden’s message has caused a recent increase in intelligence "chatter," which 
might indicate an imminent terrorist attack. The U.S. intelligence community has begun to 
monitor this chatter; they examine not the content of communications intercepts, but the 
volume. Analysts and intelligence operatives are paying close attention to fluctuations in the 
number of messages sent and received over networks used by known and suspected terrorists. 

Until now, the Paterson group has been operating on its own, without any 
transnational influence. They are purely homegrown radicalized individuals, but feel the desire 
to make contact with al Qaeda operatives in the Middle East, and inform them of their plans. 
One of the Paterson men has made contact with an individual on the national watch list. 
Throwaway cell phones, computer kiosks located in New York and New Jersey, and various 
Internet cafes have enabled the men to use a different network each time they communicate 
with this transnational operative. 

Intelligence agencies have noticed volume spikes on several networks, and have 
compared them with the content of recent local (NY/NJ) communications intercepts, satellite 
observations abroad, and information passed to intelligence operatives in other countries. 

Although there is no intelligence on the capability of an adversary>, a pattern has 
emerged that indicates the possibility of an explosive attack on the passenger rail systems of 
New York and New Jersey. 
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B. APPLIED INTEGRATIVE RISK MANAGEMENT/GOVERNANCE 
FRAMEWORK TO TERROR THREAT FOR PASSENGER RAIL 
TRANSPORTATION SYSTEM 

1. Introduction 

The intelligence threat simulation has been constructed to necessitate courses of 
action taken by federal, state, and local leaders that are responsible for managing risk in 
the New York/New Jersey region. The Integrative Risk Management/Governance 
Framework will provide the process that a homeland security decision maker may choose 
to use as a guide when making decisions how to respond to the threat. The methodology 
utilized for the framework analysis in Chapter III will be consistent with this framework, 
with the exception of integrating the analytical, intuitive, and capability-based decision 
making with the strategic, operational, and tactical decision-making processes. Examples 
will be provided to illustrate the various processes, networks, entity capabilities, and risk 
assessment methodologies that support the decision maker. They are by no means 
exhaustive; they are supporting elements. 
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Figure 12. Integrative Risk Management/Governance Framework 
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2. Final Analysis, Implementation and Evaluation of Applied 
Framework 

The Pre-Assessment and Set Security Goals and 
Objectives Components provide a starting point for 
the decision maker in developing a strategy that can 
be applied to best manage risk, and prevent an attack 
from occurring on the passenger rail systems of 
NY/NJ. Each of these components provide the 
decision maker with elements that can guide 
decisions, whether they are based on the 
implementation actions that are relevant to the 
Management Sphere, or the generation of knowledge, 
which is relevant to the Assessment Sphere. 
Collectively, both components provide a foundation 
and building block that will guide the decision¬ 
making process, and support a seamless transition 
into the Risk Appraisal phase. 


Pre-Assessment 


• Problem Framing 

• Monitoring and 
Warning, Screening 

• Identify Assets, 
Systems, Networks, 
and Functions 


Set Security Goals & 
Objectives 


• Prevention 

• Response 

• Protection 

• Recovery 
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The Strategic DM can utilize these components to develop a course of action to best 
prevent an attack from being carried out against the passenger rail system of NY/NJ. 
Problem framing will assist with developing goals and objectives for each of the 
mission areas (prevention, protection, response, recovery). An intricate element for 
problem framing will be the collection, processing, and dissemination of actionable 
intelligence. All relevant intelligence agencies can utilize the problem framing 
principle to categorize the significance of the threat. Monitoring and warning, and 
screening tools are identified and will support each of the mission areas by 
providing real-time situational awareness and monitoring of the operational 
environment. This component enables the Strategic DM to develop goals and 
objectives so that Operational and Tactical decision makers can carry out the 
Strategic DM intent and course of action. 

Examples: 

Problem Framing: Agencies that support this element include FBI Joint Terrorism 
Task Force (JTTF), DHS, TSA, NYPD, Port Authority Police Department (PAPD), 
New Jersey State Police (NJSP), NJ Transit, and the Port Authority of NY/NJ. 
Monitoring & Warning: Information sharing takes place among the Homeland 
Security Information Network (HSIN), NYPD Command and Control Center, 
NYPD Regional Intelligence Center (RIC), NJ Regional Operations Intelligence 
Center (ROIC), NY/NJ Regional Information Sharing Environment (RISE). 

Operational DM 

The Operational DM can develop operationally based strategies to support the 
mission areas. First and foremost will be prevention. The Operational DM can 
utilize problem framing to determine what passenger rail transportation nodes are 
most critical, and can utilize monitoring and warning, and screening to identify the 
areas with the highest passenger volume, and then determine the operational 
objectives to best protect and defend those areas. In addition, close coordination 
with intelligence factions helps to prevent impeding on immediate action measures. 
The Operational DM can identify capabilities and analytical products to support 
deployment goals. 

Examples: 

Problem Framing: To support mission areas. 

Prevention: Layered security approach throughout rail transportation system 
conducted by NYPD, PAPD, NJ Transit, NJSP. The goals and objectives for this 
approach should be oriented toward achieving optimal enforcement in order to deter, 
disrupt, or mitigate the impact of a terrorist attack, which could include physical 
modifications, technologies, and passenger bag screening. 

Monitoring & Warning: Information sharing takes place among analytical fusion 
centers and NYPD-RIC, NJ-ROIC, and NY/NJ-RISE. 

Tactical DM 

The Tactical DM can support operational goals and objectives by identifying the 
necessary tactical elements needed to best support the mission areas. The Tactical 
DM can utilize problem framing, monitoring and warning to identify the specificity 
of the threat. If intelligence indicates that explosives are the primary method of 
attack, the Tactical DM can support the strategic goals and objectives by identifying 
deterrence strategies. The Tactical DM may call upon Intuitive DM if an attack is 
imminent. 

Examples: 

Problem Framing, Monitoring & Warning: Explosive attack modus operandi - 
regional law enforcement entities can deploy explosive detection K9 teams, NYPD 
explosive trace detection elements, container bag screening. 
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The Risk Appraisal Component is a combination of risk 
assessment and concern assessment. The risk assessment 
contains the essential elements of threat, vulnerability, 
consequence, and criticality. Uncertainty and complexity 
are elements as well, and reflect the difficult challenges 
decision makers have when threat of attack is uncertain, 
and the complexity of the infrastructure, such as the rail 
transportation system, is so vast and open. Concern 
assessment contains the elements of risk perception and social concern. The Qualitative 
Dimensions for Public Risk Perception Matrix as it pertains to Passenger Rail 
Transportation (Table 3 in Chapter IV) examined the fear and dread associated with a 
terrorist attack directed at the passenger rail system. It illustrated that risk management 
decisions can be influenced by the public perception of risk, which may result in a shift 
of operational deployment strategies. Based on the threat simulation, decision makers 
must consider all elements that are central to the risk assessment, and factor in the risk 
perceptions and social concerns as well. 


Risk Appraisal 


Risk Assessment 

• Threat - Vulnerability 
- Consequence - 
Criticality 

• Uncertainty - 
Complexity 

Concern Assessment 

• Risk Perceptions 

• Social Concerns 


Risk Appraisal 

Strategic DM 

The Strategic DM can utilize the Risk Appraisal Component by first looking at 
the risk assessment. The elements of threat, vulnerability, consequence, and 
criticality can assist the Strategic DM through an analytical approach in order to 
identify a proven risk assessment methodology that is appropriately tailored for 
an explosive attack to passenger rail transportation. Uncertainty and complexity 
is high during the Strategic DM process due to the nature of the threat. The 
Strategic DM must take into account risk perception and social concerns as well. 
The public must be informed through public awareness strategies, which may 
also act as deterrence measures. 

Examples: 

Threat Analysis: Generated actionable intelligence products that can support 
the Strategic DM through collaborative efforts. Facilitated by the FBI-JIC, 
NYPD-RIC, NJSP-ROIC. 

Vulnerability Assessments (VA): Current documentation identifying 
vulnerabilities to the rail transportation sector for NY/NJ. The VA should be 
specific to the intent and capability of the adversary. Tools should be tailored to 
the threat in question. 
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Consequence Analysis (CA): Identifying the highest level of risk based on loss 
of life and the cascading impact to other infrastructure. This includes 
quantitative consequence analysis, if applicable. Response and recovery 
strategies must also weigh into the consequence analysis. 

Concern Assessment: Identify the ramifications if the threat is 
miscommunicated. 

Operational DM 

The Operational DM can make better informed decisions based on baseline 
criteria through risk assessment methodologies. Tool enhancements tailored for 
the threat, vulnerability, consequence, and criticality for the passenger rail 
system assist the Operational DM with deployment analysis. Uncertainty and 
complexity are high, and factor into the Operational DM process. Intuitive DM 
may be required if an attack is imminent. 

Examples: 

Threat Analysis: Generated actionable intelligence products that support the 
Operational DM. Timely dissemination is critical. Intelligence/operations 
interface should be supported at every level of decision making. Agencies 
include FBI-JIC, NYPD-RIC, NJSP-ROIC. 

Vulnerability Assessments (VA): Current documentation identifying 
vulnerabilities to the rail transportation sector for NY/NJ. Information should 
enable Operational DM to make decisions based on the most vulnerable and 
accessible entry points. Such a large system makes this difficult to achieve. 
Consequence Analysis CA: Looks at commuter volume on given railways and 
the highest risk based on loss of life and the cascading impact to other 
infrastructure. Appropriate response measures are identified through assessment. 
Concern Assessment: Operational deployments such as the NYPD Operation 
Atlas, NJSP Target Hardening Response Emergency Activation Teams 
(THREAT) that are recognized by the public and may reduce public risk 
perception. 

Tactical DM 

The Tactical DM relies on the risk appraisal for identifying adversarial 
capabilities. Intent and capability will factor into the Tactical DM approach. The 
risk assessment should be tailored for the Tactical DM to support the best 
informed decisions in order to prevent and respond if an attack is executed. 
Uncertainty and complexity factor heavily into the Tactical DM, who is 
operating within the target environment and may rely on Intuitive DM skills, if 
need be. 

Examples: 

Threat Analysis: Generated actionable intelligence products that can support 
the Tactical DM. Timely dissemination is critical. Intelligence operations 
interface should be supported at every level of decision making, including FBI- 
JIC, NYPD-RIC, NJSP-ROIC. The focus is on intent and capability, and the 
type of explosives and delivery system (remote detonation contained within 
package, suicide attack) that might be used. 

Vulnerability Assessments (VA): Current documentation identifying 
vulnerabilities to the rail transportation sector for NY/NJ. Information enables 
Tactical DM to deploy detection and prevention measures at the most vital 
nodes. These measures may include passenger bag screening or explosive 
detection K9 teams. 

Consequence Analysis CA: Assess response procedures to ensure adequate 
life-saving measures. Entities include the NYPD, Fire Department of New York 
(FDNY), PAPD, NJSP, and the Northern NJ first responders. 
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Prioritization 


• Alternatives 
Evaluation 

• Prioritize Assets, 
Systems, Networks, 
and Functions based 
on Risk Assessment 


Tolerability Acceptability & 
Judgment 


• Risk 

Characterization 

• Risk Evaluation 


The Prioritization and Tolerability Acceptability and 
Judgment Components are placed at the lower half of 
the Assessment Sphere for this framework so the 
decision maker can take into account all relevant 
assessment information that is generated through the 
Pre-Assessment, Security Goals and Objectives, and 
Risk Appraisal Components. This is integral to the 
process prior to risk characterization and evaluation, 
which is aimed at judging a risk’s acceptability and/or 
tolerability. The threat to the passenger rail system is a 
risk that does not translate well as being an acceptable 
risk. The decision maker can take into account 
alternative solutions based on further intelligence. 


Prioritization / Tolerability Acceptability & Judgment 

Strategic DM 

The Strategic DM ensures prioritization of all relevant assets, and that those 
involved in prevention, protection, and response understand the implementation 
strategies and monitoring elements. Risk assessment methodologies are re¬ 
evaluated. 

Examples: 

Alternatives Evaluation: An increased level of actionable intelligence necessitates 
a strategic change in the course of action. Regional law enforcement entities may 
redeploy based on that intelligence. Intuitive DM may be required. Responsible 
entities include FBI-JIC, NYPD-RIC, NJSP-ROIC. 

Tolerability Acceptability Judgment: Risk has been characterized as being un¬ 
acceptable. All precautions will be carried out to prevent an attack. 

Operational DM 

The Operational DM ensures that operational priorities are consistent with the 
course of action developed by the Strategic DM, and that entities responsible for 
prevention, protection and response understand the implementation strategies. Clear 
lines of communication are established with intelligence agencies. 

Examples: 

Alternatives Evaluation: An increased level of actionable intelligence necessitates 
immediate operational deployment. Regional law enforcement entities may redeploy 
based on intelligence. Intuitive DM may be required. All regional entities are 
monitoring the intelligence/operations interface. 

Tolerability Acceptability Judgment: Risk has been characterized as being 
unacceptable. All precautions will be carried out to prevent an attack. 

Tactical DM 

The Tactical DM can ensure that tactical prevention and protection capabilities are 
available and consistent with operational deployment strategies. Entities responsible 
for prevention, protection and response understand the implementation strategies. 
Clear lines of communication are established with intelligence agencies. 

Examples: 

Alternatives Evaluation: An increased level of actionable intelligence requires 
immediate tactical intervention. Regional law enforcement entities may need to 
respond based on intelligence. There is an increased need for Intuitive DM. All 
regional entities are monitoring the intelligence/operations interface. 

Tolerability Acceptability Judgment: Risk has been characterized as being un¬ 
acceptable. All precautions will be carried out to prevent an attack. 
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This component of the risk management/governance 
framework is assembled to ensure that all components of 
the risk management/governance process have been 
engaged by decision makers at every level. This is 
critical to the risk-management process, and is 
demonstrated through the principle decision-making 
tables. The strategic, operational, and tactical decision 
in the risk management/governance process. 

The Risk Appraisal Component was the primary driver for decision making that 
required risk assessment methodologies and concern assessment. The Risk Management 
Component represents the decisions that are based on action and execution. However, 
this framework illustrates the connectivity among all of the components by placing 
communication at the core of the process. The Communication Component interconnects 
each of the other components and elements of this framework. This feature demonstrates 
that risk assessment and risk-management principles taken collectively optimize 
informed decision making. 

The intelligence threat simulation has engaged each principle decision-making 
process at various levels. It is at this phase of the process that all prevention and 
protective measures are implemented and monitored to ensure that the best courses of 
action have been taken in order to drive down risk. 


Risk Management 


• Management 
Selection 

• Implementation 

• Monitor Measure 
Effectiveness 


makers have all been engaged 
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Risk Management 


Strategic DM 

The Strategic DM can ensure that implementation by operational and tactical 
elements is being carried out, and intelligence monitoring as well as 
situational awareness is being conducted at every level. There is an increased 
need for intuitive decision making. Analytical processes are continuous. 

Examples: 

Implementation: Agencies that support this element include FBI-JTTF, 
DHS, TSA, NYPD, PAPD, NJSP, NJ Transit, Port Authority of NY/NJ. 
Intelligence Monitoring & Situational Awareness: Information sharing 
takes place among analytical fusion centers and the FBI-JIC, HSIN, NYPD 
Command and Control Center, NYPD-RIC, NJ-ROIC, NY/NJ-RISE. 

Operational 

DM 

The Operational DM can ensure that implementation by tactical elements is 
being carried out, and intelligence monitoring as well as situational 
awareness is being conducted at operational deployment locations. 
Analytical processes are continuous. There is an increased need for intuitive 
decision making. 

Examples: 

Implementation: Implementation and layered security approach throughout 
rail transportation system is conducted by NYPD, PAPD, NJ Transit, and 
NJSP. 

Intelligence Monitoring & Situational Awareness: Information sharing 
takes place among analytical fusion centers and FBI-JIC, HSIN, NYPD 
Command and Control Center, NYPD-RIC, NJ-ROIC, NY/NJ-RISE. 

Tactical DM 

The Tactical DM can ensure that the execution of prevention and protection 
activities is being carried out by tactical elements. There is an increased need 
for intuitive decision making. Analytical processes are continuous. 

Examples: 

Implementation: Prevention and protection measures are implemented, 
such as random bag searches, explosive trace detection elements, and 
container screening. High law enforcement presence, including NYPD 
Operation Atlas and NJSP Target Hardening Response Emergency 
Activation Teams (THREAT). 

Intelligence Monitoring & Situational Awareness: Information sharing 
takes place among analytical fusion centers and the FBI-JIC, HSIN, NYPD 
Command and Control Center, NYPD-RIC, NJ-ROIC, NY/NJ-RISE. All 
intelligence dissemination needs to be timely and accurate. 
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VI. CONCLUSION 


A. RESEARCH IMPLICATIONS AND FINDINGS 

1. Research Overview 

This study explored the application of a risk management framework to improve 
the process of making decisions. It analyzed the complexity and uncertainty apparent 
when risk-informed decision making is required of our homeland security practitioners. 
The principles of decision making were integrated with each of the risk management 
frameworks developed by the Department of Homeland Security (Contained in the 
National Infrastructure Plan — NIPP), the Government Accountability Office (GAO), 
and the International Risk Governance Council (IRGC). Based on this analysis, an 
assessment was made regarding whether the frameworks provide a logical set of actions 
that a decision maker could follow. The commonalities and core attributes were then 
extracted from each framework that appeared to be the most effective at addressing 
current risk assessment shortcomings, and was integrated into a risk 
management/governance framework. 

This study also explored the utility of conducting a risk and threat analysis for a 
particular problem space found within the homeland security domain — the passenger 
rail transportation sector. From this analysis, the study developed a hypothetical scenario 
and intelligence simulation that targeted the passenger rail transportation system for New 
York and New Jersey. To evaluate its utility, the integrative risk 
management/governance framework was applied to this threat-based scenario. 

2. Benefits of a Risk Management Framework for Homeland Security 
Decision Making 

A comprehensive risk management framework can assist state and local leaders 
with homeland security decision making. Each of the currently available risk 
management frameworks can assist the decision maker with resource allocation and 
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situational, course-of-action decisions. No single framework, however, is perfect or 
perfectly applicable to homeland security, mainly because of the uncertainty and complex 
nature of terrorism. This leaves the decision maker with a series of challenges, the most 
pressing of which is to manage risk in an ever-evolving arena of homeland security. 

The integrated risk management/govemance framework was developed to 
integrate the core components and elements from each of the existing frameworks. The 
risk management/govemance process was meant to reveal the applicability of decision 
making throughout the risk process, combining both risk assessment and risk 
management principles. Essential to the risk management/govemance structure was 
identifying the need to specify tools and proven methodologies that are tailored to a 
specific problem or issue. 

The application of the risk management/governance framework to the passenger 
rail threat for New York and New Jersey revealed that strategic, operational, and tactical 
decision making occurs throughout the assessment process. The assessment and 
management spheres of risk based decision making provide the components and elements 
to guide the decision maker. Communication was central to the core process. Among 
decision makers who are engaging in risk assessment and risk management, 
communication can prove to be critical if, in fact, threat is introduced into an otherwise 
stable environment. 

The qualitative analysis conducted for the passenger rail transportation sector 
revealed that commonalities were evident for each attack methodology. Terrorist tactics 
were consistent with targeting times, explosive composition, and organizational and cell 
structures. Due to the difficulty of applying quantitative measures as a methodology to 
determine threat, this qualitative analysis provided an accurate platfonn for the threat 
scenario. 


3, Challenges with Risk Management Frameworks for Homeland 
Security Decision Making 

Evident in the NIPP framework was the consistency of supporting each phase of 


the process with core elements and procedures that can support the decision maker. 
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Sector-specific agencies need to tailor their risk-management processes with guidance 
and direction that is relevant to a particular phase. The framework provides the structure, 
but decision makers should be responsible for implementing the principal features. 
Another challenge is ensuring that decision makers at every level of an organization are 
engaged in the risk-management process. Although the strategic decision makers 
developed goals/objectives and a course of action, the analysis revealed that it was the 
operational and tactical decision makers who carried out the action and execution. 
Organizational decision makers at every level should be educated in the value and utility 
of a risk management framework. This may guide decision makers who are required to 
make decisions over long duration periods, or implement immediate action. 

B. RECOMMENDATIONS FOR FUTURE RESEARCH 

1. Risk Governance Framework Enhancement 

The risk management/governance framework combined risk management and risk 
assessment under the overarching umbrella of risk governance. Both risk assessment and 
management principles were integrated within a core process. This process is by no 
means exhaustive, and it may need refinements if it is to further enhance decision 
making. Risk governance principles outlined in the IRGC framework are inclusive of 
both risk management and assessment, and they may have an application for future risk- 
process studies. 

2. Risk and Decision Making 

Principles of decision making were explored and integrated within the risk 
management process. Further research — incorporating decision-making principles with 
processes associated with managing risk — is conducive, and can support homeland 
security leaders. The uncertainty and complexity of managing risk requires homeland 
security leaders to apply adequate decision-making skills within the ever-changing 
landscape of homeland security. 
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The homeland security domain is riddled with wicked problems, uncertainty, and 
complex issues. Managing homeland security risk is a daunting task. If decision makers 
are to make the best-informed decisions, they will need to use the most appropriate tools 
and methodologies. Through this research, an integrative risk management/governance 
framework emerged. This framework may be applied by homeland security leaders who 
are responsible for managing risk resources; it has the potential to optimize risk reduction 
across various sectors. Furthermore, the utility of this framework may enhance decision 
making within the vast, dense problem space associated with homeland security risk. 
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